A. Dubey,X. Wu,H. Su,T. J. Koo

DOI: https://doi.org/10.1007/11562948_11

2005-01-01

Abstract:In this paper, we describe a computation platform called ReachLab, which enables automatic analysis of embedded software systems that interact with continuous environment. Algorithms are used to specify how the state space of the system model should be explored in order to perform analysis. In ReachLab, both system models and analysis algorithm models are specified in the same framework using Hybrid System Analysis and Design Language (HADL), which is a meta-model based language. The platform allows the models of algorithms to be constructed hierarchically and promotes their reuse in constructing more complex algorithms. Moreover, the platform is designed in such a way that the concerns of design and implementation of analysis algorithms are separated. On one hand, the models of analysis algorithms are abstract and therefore the design of algorithms can be made independent of implementation details. On the other hand, translators are provided to automatically generate implementations from the models for computing analysis results based on computation kernels. Multiple computation kernels, which are based on specific computation tools such as d/dt and the Level Set toolbox, are supported and can be chosen to enable hybrid state space exploration. An example is provided to illustrate the design and implementation process in ReachLab.

Julien Brunel,Laurent Rioux,Stéphane Paul,Anthony Faucogney,Frédérique Vallée

DOI: https://doi.org/10.4204/EPTCS.150.2

2014-05-06

Abstract:We propose an approach based on Alloy to formally model and assess a system architecture with respect to safety and security requirements. We illustrate this approach by considering as a case study an avionic system developed by Thales, which provides guidance to aircraft. We show how to define in Alloy a metamodel of avionic architectures with a focus on failure propagations. We then express the specific architecture of the case study in Alloy. Finally, we express and check properties that refer to the robustness of the architecture to failures and attacks.

Software Engineering

Yu Tan,Yongwang Zhao,Dianfu Ma,Xuejun Zhang

DOI: https://doi.org/10.1155/2022/2079880

2021-01-01

IOP Conference Series Earth and Environmental Science

Abstract:In safety-critical fields, architectural languages such as AADL (Architecture Analysis and Design Language) have been playing an important role, and the analysis of the languages and systems designed by them is a challenging research topic. At present, a formal method has become one of the main practices in software engineering for strict analysis, and it has been applied on the tools of formalization and analysis. The formal method can be used to find and resolve the problems early by describing the system with precise semantics and validating the system model. This article studies the comprehensive formal specification and verification of AADL with Behavior annex by the formal method. The presentation of this specification and semantics is the aim of this article, and the work is illustrated with an ARINC653 model case study in Isabelle/HOL.

Xiaohong Chen,Juan Zhang,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/tits.2023.3324022

IF: 8.5

2023-12-05

IEEE Transactions on Intelligent Transportation Systems

Abstract:Consistency verification of safety requirements is crucial for the success of safety-critical systems, particularly railway systems. However, this task often requires significant time spent on interaction and communication between domain experts, who possess in-depth knowledge of safety requirements in a specific domain, and formal experts, who have the necessary skills to apply verification tools and techniques. To enhance time efficiency and productivity, we propose an approach to empower domain experts with formal methods for verifying safety requirements' consistency. This involves transforming natural requirements into formal models and using formal methods for verification. The approach also localizes inconsistent requirements to provide feedback to domain experts. Communication between domain experts and formal experts can be facilitated through the pattern language SafeNL. By adopting this approach, domain experts can utilize formal verification without extensive consultation with formal experts. Two practical case studies with CASCO Signal Ltd. validate its effectiveness, practicality, as well as a significant reduction of time compared to traditional methods (at least 90% reduction). This reduction in time is primarily due to reduced communication needs and more efficient localization. Evaluations show that SafeNL is user-friendly and the approach performs well in modular systems while scalability is somewhat limited.

engineering, electrical & electronic,transportation science & technology, civil

Nuno Macedo,Alcino Cunha

DOI: https://doi.org/10.48550/arXiv.1603.03599

2016-03-11

Software Engineering

Abstract:Alloy and TLA+ are two formal specification languages that are increasingly popular due to their simplicity and flexibility, as well as the effectiveness of their companion model checkers, the Alloy Analyzer and TLC, respectively. Nonetheless, while TLA+ focuses on temporal properties, Alloy is better suited to handle structural properties, requiring ad hoc mechanisms to reason about temporal properties. Thus, both have limitations in the specification and analysis of systems rich in both static and dynamic properties. This paper explores the pros and cons of these two frameworks when handling this class of systems through the step-by-step modeling, specification and verification of an example.

Xiaohong Chen,Zhiwei Zhong,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/re.2019.00040

2019-01-01

Abstract:Consistency verification of safety requirements is an important but still challenging task for safety-critical systems such as rail transit systems. That is mainly because requirements are typically written in natural language and with strong time constraints. Driven by the practical need from industry, in this paper we propose a systematic approach to specify safety requirements in a quasi-natural language and automatically verify their consistency using formal methods. Specifically, we define a domain specific language SafeNL to specify safety requirements, and then automatically transform them into formal constraints defined in the Clock Constraint Specification Language (CCSL). The transformed constraints can be automatically and efficiently verified by model checking. We conduct two practical case studies to analyze the safety requirements of an interlocking system in CASCO Signal Ltd. Results of the studies show the validity and utility of our approach can pragmatically contribute to industrial practice. We also report some lessons learned from case studies.

William Heaven,Alessandra Russo

DOI: https://doi.org/10.48550/arXiv.cs/0508109

2005-08-24

Abstract:Formal techniques have been shown to be useful in the development of correct software. But the level of expertise required of practitioners of these techniques prohibits their widespread adoption. Formal techniques need to be tailored to the commercial software developer. Alloy is a lightweight specification language supported by the Alloy Analyzer (AA), a tool based on off-the-shelf SAT technology. The tool allows a user to check interactively whether given properties are consistent or valid with respect to a high-level specification, providing an environment in which the correctness of such a specification may be established. However, Alloy is not particularly suited to expressing program specifications and the feedback provided by AA can be misleading where the specification under analysis or the property being checked contains inconsistencies. In this paper, we address these two shortcomings. Firstly, we present a lightweight language called "Loy", tailored to the specification of object-oriented programs. An encoding of Loy into Alloy is provided so that AA can be used for automated analysis of Loy program specifications. Secondly, we present some "patterns of analysis" that guide a developer through the analysis of a Loy specification in order to establish its correctness before implementation.

Software Engineering,Logic in Computer Science

Gurvan Le Guernic

DOI: https://doi.org/10.48550/arXiv.1405.1115

2014-05-06

Cryptography and Security

Abstract:A system is said to be fail-secure, sometimes confused with fail-safe, if it maintains its security requirements even in the event of some faults. Fail-secure analyses are required by some validation schemes, such as some Common Criteria or NATO certifications. However, it is an aspect of security which as been overlooked by the community. This paper attempts to shed some light on the fail-secure field of study by: giving a definition of fail-secure as used in those certification schemes, and emphasizing the differences with fail-safe; and exhibiting a first feasibility draft of a fail-secure design analysis tool based on the Alloy model checker.

Petr N. Devyanin,Alexey V. Khoroshilov,Victor V. Kuliamin,Alexander K. Petrenko,Ilya V. Shchepetkov

DOI: https://doi.org/10.1007/978-3-662-43652-3_30

2014-01-01

Abstract:The paper presents a work-in-progress on formal verification of operating system security model, which integrates control of confidentiality and integrity levels with role-based access control. The main goal is to formalize completely the security model and to prove its consistency and conformance to basic correctness requirements concerning keeping levels of integrity and confidentiality. Additional goal is to perform data flow analysis of the model to check whether it can preserve security in the face of certain attacks. Alloy and Event-B were used for formalization and verification of the model. Alloy was applied to provide quick constraint-based checking and uncover various issues concerning inconsistency or incompleteness of the model. Event-B was applied for full-scale deductive verification. Both tools worked well on first steps of model development, while after certain complexity was reached Alloy began to demonstrate some scalability issues.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.1109/ICCASM.2010.5620084

2010-01-01

Abstract:A modeling and verification methodology is presented for railway interlocking system which is regarded as a safety-critical system. The methodology utilizes UML (Unified Modeling Language) to model the function requirement and FSM (Finite State Machine) to verify the safety requirements of the specification. The device specifications of railway interlocking system are modeled with UML, and dynamic behaviors of the device and whole system are modeled with FSM, the safety specification is translated LTL (Linear Temporal Logic) and analyzed with NuSMV. We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Eun-Young Kang,Li Huang,Dongrui Mu

DOI: https://doi.org/10.48550/arXiv.1803.06075

2018-03-16

Software Engineering

Abstract:Modeling and analysis of nonfunctional requirements is crucial in automotive systems. EAST-ADL is an architectural language dedicated to safety-critical automotive system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware timed (ET) behaviors modeled in SIMULINK/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK DESIGN VERIFIER (SDV), i.e., the ET constraints are translated into proof objective models that can be verified using SDV. Furthermore, probabilistic extension of EAST-ADL constraints is defined and the semantics of the extended constraints is translated into verifiable UPPAAL models with stochastic semantics for formal verification. A set of mapping rules are proposed to facilitate the guarantee of translation. Verification & Validation are performed on the extended timing and energy constraints using SDV and UPPAAL-SMC. Our approach is demonstrated on a cooperative automotive system case study.

Lu Chen,Jian Jiao,Qianxin Wei,Tingdi Zhao

DOI: https://doi.org/10.1016/j.engfailanal.2017.06.034

IF: 4

2017-01-01

Engineering Failure Analysis

Abstract:It is important to analyze the failure in safety-critical system because a disaster may occur once any type of failure mode and/or failure effect is neglected or misjudged. In order to conduct the failure analysis more effectively and efficiently, the concept of formal modeling is introduced. This paper improved the model-based safety analysis (MBSA) working process to optimize the formal failure analysis approach of safety-critical system. As the core works of MBSA process, the formal modeling and model extension aim to build an integrated system model which can be used for analyzing the failure behaviors in the system by model checking. However, in order to automatically check if there are any potential failures in the structured system model and whether the model satisfies the specified system properties and requirements using model checker, model transformation is normally needed, which can introduced potential errors during the transformation. Moreover, different model checkers generally require the system models to be expressed in a particular input language, which increases the difficulty of modeling as well. In order to avoid these problems and improve the efficiency of failure analysis work, this paper focused on how to build an unified model of safety-critical system quickly and accurately using symbolic language SMV, and conduct automatic verification using the corresponding open-source model checker NuSMV soon afterwards. After the model checking, the formal verification results such as counter-examples generated by model checking need to be transformed into traditional failure analysis artifacts, such as FMEA and/or FTA, to guide the iterative improvement of system development conveniently. Therefore, to solve the transformation from formal verification conclusions to traditional failure analysis results is another key point of this paper. Finally, a case study about airborne equipment is provided to validate the proposed method.

rong gang,wang shuqing,wang jicheng

DOI: https://doi.org/10.1016/B978-0-08-036929-7.50018-8

1991-01-01

IFAC Proceedings Volumes

Abstract:In large process plants, alarm systems play a very important role in aiding operator in his primary tasks of detecting and interrupting the progression of a fault, and providing corrective actions for fault conditions. In order to improve the success likelihood of the operator in receiving and processing alarms, an intelligent alarm system is required. The concept of intelligent alarm means that the information given by the process alarms and the manner in which this information is provided are based on the process knowledge and helpful for improving operator's fault diagnostic efficiency. In this paper, the intelligent alarm system of a chemical reaction process has been described. The fault propagating model used in design is a knowledge base with a hierarchical structure, in which, the high level is a semantic network describing the causal relationships among faults and the lower levels are functional components and unit operations. Various conditions in which alarms can be activated are adopted so as to indicate different fault situations in different operational mode of the plant. The alarm-placement problem for optimal fault information output has also been solved, and two kind of constraints considered. Alarm handling and reduction is implemented in two steps, firstly, a mixed-direction reasoning technique is employed to acknowledge as many activated alarms as possible and detect spurious alarms, and then, the alarm information is displayed in a prescribed order. The designed alarm system is implemented with a personal computer although both knowledge-based techniques and conventional numerical algorithms involved. A test case is discussed in detail.

Shahar Maoz,Jan Oliver Ringert,Bernhard Rumpe

DOI: https://doi.org/10.48550/arXiv.1409.2314

2014-09-08

Abstract:We present CD2Alloy, a novel, powerful translation of UML class diagrams (CDs) to Alloy. Unlike existing translations, which are based on a shallow embedding strategy, and are thus limited to checking consistency and generating conforming object models of a single CD, and support a limited set of CD language features, CD2Alloy uses a deeper embedding strategy. Rather than mapping each CD construct to a semantically equivalent Alloy construct, CD2Alloy defines (some) CD constructs as new concepts within Alloy. This enables solving several analysis problems that involve more than one CD and could not be solved by earlier works, and supporting an extended list of CD language features. The ideas are implemented in a prototype Eclipse plug-in. The work advances the state-of-the-art in CD analysis, and can also be viewed as an interesting case study for the different possible translations of one modeling language to another, their strengths and weaknesses.

Software Engineering

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.2991/iccasm.2012.212

2012-01-01

Abstract:A verification methodology is presented for railway interlocking system which is regarded as a safety-critical system.The methodology utilizes UML to model the function requirement and LTL to verify the safety requirements of the specification.The device specifications of railway interlocking system are modeled with UML, then translate into FSM.The safety specification is translated LTL and analyzed with NuSMV.We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Mirian-Hosseinabadi, Seyed-Hassan

DOI: https://doi.org/10.1007/s10270-022-01043-8

2022-11-02

Abstract:Within microservice architecture-based systems, some microservices are integrated to build the software. The integration of these services may be defined based on a workflow model. There are also a variety of different languages available for defining these workflow models. BPMN and YAWL are two such options. It is important that testers test the integration of these microservices. This paper proposes the formal method as the solution for integration testing. This method translates the workflow model to the Alloy. The algorithm has suggested a translation of workflow models to formal specifications. This specification takes into consideration both structural and behavioral aspects. The first perspective is about general structures, while the second is about the behavior of the objects in a specific model. We have proved the correctness of the suggested specifications. For this purpose, the paper has shown that formal definitions are sound and are complete with nine theorems for these properties. The translation from YAWL to Alloy is defined based on their BNF grammar. The generated model is an appropriate source for different purposes containing software testing. The suggested method for software testing is model-driven testing. Logical predicates define the structure of Alloy models. This method uses these logical predicates for generating tests. The test method has used RACC coverage as an example criterion. Alloy Analyzer tests the model by generating test predicates.

computer science, software engineering

Yuan Yuan,Jian Jiao,Mengwei Wei

DOI: https://doi.org/10.1088/1742-6596/1624/4/042060

2020-10-01

Journal of Physics: Conference Series

Abstract:Abstract The integration and interaction of multiple factors in large-scale system such as aircraft is the main reason of safety problem. For example, the aircraft can be affected by a variety of interactive factors due to changes in pilot conditions, avionics equipment and environmental state during flight. Aiming at the process of carrier aircraft landing, this paper proposes a formal modeling method based on System Modeling Language (SysML) to describe and analyze the safety of system. Firstly, the method based on SysML is detailed to model the structural and behavioural aspects, relying on the analysis of mission and/or behavior process. Then, the integrated method of SysML and Simulink, using the TGG method, is adopted to facilitate the analysis of the behavior processes. Finally, the attitude control during the aircraft landing process is taken as an example to assess the deviation and the dangerous time variation of the system in different disturbance degrees, which will help to make a better safety strategy.

Mohammad Nurullah Patwary,Ana Jovanovic,Allison Sullivan

2024-06-14

Abstract:Alloy is well known a declarative modeling language. A key strength of Alloy is its scenario finding toolset, the Analyzer, which allows users to explore all valid scenarios that adhere to the model's constraints up to a user-provided scope. Despite the Analyzer, Alloy is still difficult for novice users to learn and use. A recent empirical study of over 93,000 new user models reveals that users have trouble from the very start: nearly a third of the models novices write fail to compile. We believe that the issue is that Alloy's grammar and type information is passively relayed to the user despite this information outlining a narrow path for how to compose valid formulas. In this paper, we outline a proof-of-concept for a structure editor for Alloy in which user's build their models using block based inputs, rather than free typing, which by design prevents compilation errors.

Software Engineering

Zhe Chen,Gilles Motet

DOI: https://doi.org/10.1109/depend.2009.18

2009-06-01

Abstract:Safety is an important element of dependability. It is defined as the absence of accidents. Most accidents involving software-intensive systems have been system accidents, which are caused by unsafe inter-system or inter-component interactions. To validate the absence of system hazards concerning dysfunctional interactions, industrials call for approaches of modeling system safety requirements and interaction constraints among components. This paper proposes such a formalism, namely interface control systems (or shortly C-Systems). An interface C-System is composed of an interface automaton and a controlling automaton, which formalizes safe interactions and restricts system behavior at the meta level. This framework differs from the framework of traditional model checking. It explicitly separates the tasks of product engineers and safety engineers, and provides a top-down technique for modeling a system with safety constraints, and for automatically composing a safe system that conforms to safety requirements. The contributions of this work include formalizing safety requirements and a way of automatically ensuring system safety.

Jin Song Dong,Jing Sun,Hai H. Wang

DOI: https://doi.org/10.1007/978-3-540-45236-2_43

2003-01-01

Abstract:Semantic Web (SW), commonly regarded as the next generation of the Web, is an emerging vision of the new Web from the Knowledge Representation and the Web communities. The Formal Methods community can also play an important role to contribute to SW development. Reasoning and consistency checking can be useful at many stages during the design, maintenance and deployment of SW ontology. However the existing reasoning and consistency checking tools for SW are primitive. We believe that formal techniques and tools, such as Alloy, can provide automatic reasoning and consistency checking services for SW. In this paper, we firstly construct semantic models for the SW language (DAML+OIL) in Alloy, and these models form the semantic domain for interpreting DAML+OIL in Alloy. Then we develop the translation techniques and tools which can automatically map the SW ontology into the DAML+OIL semantic domain in Alloy. Furthermore, with the assistance of Alloy Analyzer (AA) we demonstrate that the consistency of the SW ontology can be checked automatically and different kinds of reasoning tasks can be supported.