CHEN Feng,LI Wei-hua

2011-01-01

JOURNAL OF NORTHWEST UNIVERSITY(NATURAL SCIENCE EDITION)

Abstract:Aim To analyze and verify the software safety models effectively in the early stage of software design and development.Methods The methods for software safety analysis,derification and fomal modeling prooide that.Results A safety extended deterministic finite automata,SEDFA,is introduced.On the base of establishing security-related non-formal model by UMLsec,the sequence diagram,which expresses the security interaction,can be depicted by SEDFA.Firstly,the automata of signal object are created.Secondly,the product automaton of objects is constructed,and the SEDFA which indicates the complete interaction of the system is obtained.Conclusion It provides the foundation for the system safety property verification and achieving software safety test sases is the fatare work.

Xiaomin Wei,Yunwei Dong,Hong Ye

DOI: https://doi.org/10.1109/TASE.2015.10

2015-01-01

Abstract:Quantitative verification is an effective technique for analyzing quantitative aspects of a safety critical system's design, and safety analysis is a significant aspect of safety critical system. However, they are often conducted separately. In this paper, we propose a new methodology, QaSten, fastens quantitative verification to safety analysis for Architecture Analysis and Design Language (AADL) model (including error model). QaSten formalizes a set of rigorous transformation rules that transform AADL model to PRISM model using formal method. In addition, QaSten can generate two safety property formulas automatically to check against the PRISM model for each hazardous state. Therefore, the occurrence probability of hazardous states can be calculated, which can help system designers understand the impact of parameters in the model. Furthermore, combining the probability and the severity of potential consequence of a hazardous state, QaSten determines the hazard risk acceptance level that can help engineers to identify critical hazard and modify or redesign architecture model to control it in an acceptable level. Two case studies, based on the Gas Leakage Alarm systems, are utilized to demonstrate QaSten's feasibility and effectiveness.

Abeer Saeed Abdo Hadad,Chunyan Ma,Adeeb Abdulwakeel Obadi Ahmed

DOI: https://doi.org/10.1109/access.2020.2987972

IF: 3.9

2020-01-01

IEEE Access

Abstract:AADL is widely used to depict the architecture and behavior of real-time safety-critical systems such as avionics and aerospace. The development of these systems has strict requirements for building fault-free systems. Formal verification is frequently applied to verify the critical properties of the systems, such as safety and liveness; however, the formal verification is not supported by AADL. Model transformation is commonly applied to provide formal semantics; hence, the AADL model can be verified by a language that supports formal verification in addition to the ability to cover all AADL model behavior. Event-B, with its proof obligation, is increasingly used to model and verify safety-critical systems. This paper presents the transformation of the AADL model into Event-B, which captures most AADL components and behavioral actions to be effective in the verification of current real-time systems models. Then, we define theorems and invariants of safety and liveness properties to be proven by using the RODIN platform. To demonstrate the efficacy of our method, we model the AADL of movement authority (MA) control of the Chinese Train Control System, transform the AADL model to Event-B and verify its crucial properties.

Tao Zhang,Yechun Jiang,Junda Ye,Cheng Jing,Huamin Qu

DOI: https://doi.org/10.1109/CICN.2014.240

2014-01-01

Abstract:This paper proposes a model-based software safety analysis method for flight control software. Firstly, the AADL architecture model and error model of flight control software are constructed separately. Then we convert the AADL model of flight control software into extended Markov chain model. We can evaluate safety of software component by calculate the probability of component state in different hazardous levels with the extended Markov chain model. Finally, safety of entire flight control software system can be calculated according to AADL error states composition relation, which can avoid states explosion problem of Markov chain model.

Fei Yan,Tao Tang

DOI: https://doi.org/10.1109/wcica.2008.4592925

2008-01-01

Abstract:The next few years will see distributed real-time computer systems playing an important role in control systems of high-dependability applications, such as rail transportation. In these applications a failure in the temporal domain can be as critical as a failure in the value domain. In rail transportation, train control system has become more complex and the methods to ensure its correctness of have been considered outmoded. The safety of train control system is becoming increasingly important as computers pervade them on which human life depends and the failure to meet time deadline can have serious or even fatal consequences. This paper proposes a formal modeling and verification approach for real-time system. In the proposed method the real-time system is modeled by timed automata network (TAN) and verified by model checking which explores the state space to determine whether the system satisfies a given specification. The case study of ATP (automatic train protection) shows how the method can assist in designing more efficient and reliable real-time systems. Firstly, automatic train protection (ATP) system and timed automata network (TAN) model is proposed; secondly, the state transitions and multi-tasks ATP onboard model was modeled with TAN model, and then the time sequences of each task are expressed in UML sequence diagrams. Finally, the timing characteristics was verified to meet the requirement by UPPAAL model checker. A major conclusion of the survey is that formal methods, while still immature in some respects, can be used successfully to model and verify real-time systems.

Zhibin Yang,Kai Hu,Dianfu Ma,Lei Pi

DOI: https://doi.org/10.1109/pic.2010.5687996

2010-01-01

Abstract:AADL (Architectural Analysis & Design Language) is an architecture description language standard for embedded real-time systems, and it is widely used in aerospace and other safety-critical applications. However, the AADL standard lacks at present a formal semantics. This paper proposes a formal semantics and a verification framework of AADL models with regard to mode change. The precise semantics of AADL mode change protocol is defined by a translation into the TASM (Timed Abstract State Machine) formalism. Then the translational semantics is automated in the AADL2TASM tool, which provides model checking and simulation for AADL models. Finally, the approach is validated with a case study of an automotive cruise control system.

Tianhua Xu,Tao Tang,Chunhai Gao,Baigen Cai

DOI: https://doi.org/10.1109/IVS.2009.5164402

2009-01-01

Abstract:We formally verify hybrid safety properties of Automatic Collision Avoidance System (ACAS) in the European Train Control System (ETCS). We present a formal requirements, design decision, discrete design and the real-time program for ACAS and verify correctness using compositional verification rules based Weakly monotonic time extension of DC* (WDC*). The advantage of compositional proof rule is that it decomposes a large system into more manageable pieces and to prove the correctness of the whole system from that of its immediate constituents. WDC* provides an essential simplification in reasoning about the design of real-time properties in ACAS by means of true synchrony hypothesis and the super-dense computation.

fang yan,tao tang

DOI: https://doi.org/10.2495/safe050561

2005-01-01

Abstract:The safety of software is becoming increasingly important as computers pervade control systems on which human life depends. This has become more complex and in rail transportation fields and the methods to ensure its correctness have been slow in development. One feasible approach is to mathematically verify software design in such systems with Formal Methods. ATP (Automatic Train Protection) is a vital part of Train Control Systems. It assures safe train movement by a combination of train detection, separation of trains running on the same track or over interlocked routes, over speed prevention, and route interlocking. Obviously ATP is a safety-critical system and we regard it as a case study for our formal development methods. Firstly, the multi-tasks ATP onboard software model and state transitions will be modelled with UML; secondly, the timing model will be verified to meet the requirement of timing by SMV model checker; finally, the multi-tasking timing model will be realized with VxWorks (a real-time operating system by WindRiver). A major conclusion of the survey is that formal methods, while still immature in some respects, can be used successfully to assist in developing safety-critical systems.

zhibin yang,kai hu,yongwang zhao,dianfu ma,jeanpaul bodeveix

DOI: https://doi.org/10.13328/j.cnki.jos.004776

2015-01-01

Abstract:This paper presents a formal verification method for AADL (architecture analysis and design language) models by TASM (timed abstract state machine) translation. The abstract syntax of the chosen subset of AADL and of TASM are given. The translation rules are defined clearly by the semantic functions expressed in a ML-like language. Furthermore, the translation is implemented in the model transformation tool AADL2TASM, which provides model checking and simulation for AADL models. Finally, a case study of space GNC (guidance, navigation and control) system is provided.

Xi Wang,Lei Ma,Tao Tang

DOI: https://doi.org/10.1177/1687814016649115

2016-01-01

Abstract:With the development of automatic control and communication technology, communication-based train control system is adopted by more and more urban mass transit system to automatically supervise the train speed to follow a desired trajectory. Taking reliability, availability, maintainability, and safety into consideration, 2 × 2-out-of-2 safety computer platform is usually utilized as the hardware platform of safety-critical subsystem in communication-based train control. To enhance the safety integrity level of safety computer platform, safety-related logics have to be verified before integrating them into practical systems. Therefore, a significant problem of developing safety computer platform is how to guarantee that system behaviors will satisfy the function requirements as well as responding to external events and processes within the limit of right time. Based on the qualitative and quantitative analysis of function and timing characteristics, this article introduces a formal modeling and verification approach for this real-time system. In the proposed method, timed automata network model for 2 × 2-out-of-2 safety computer platform is built, and system requirements are specified and formalized as computation tree logic properties which can be verified by UPPAAL model checker.

Zhibin Yang,Kai Hu,Dianfu Ma,Jean-Paul Bodeveix,Lei Pi,Jean-Pierre Talpin

DOI: https://doi.org/10.1016/j.jss.2014.02.058

IF: 3.5

2014-01-01

Journal of Systems and Software

Abstract:Architecture Analysis and Design Language (AADL) is an architecture description language standard for embedded real-time systems widely used in the avionics and aerospace industry to model safety-critical applications. To verify and analyze the AADL models, model transformation technologies are often used to automatically extract a formal specification suitable for analysis and verification. In this process, it remains a challenge to prove that the model transformation preserves the semantics of the initial AADL model or, at least, some of the specific properties or requirements it needs to satisfy. This paper presents a machine checked semantics-preserving transformation of a subset of AADL (including periodic threads, data port communications, mode changes, and the AADL behavior annex) into Timed Abstract State Machines (TASM). The AADL standard itself lacks at present a formal semantics to make this translation validation possible. Our contribution is to bridge this gap by providing two formal semantics for the subset of AADL. The execution semantics provided by the AADL standard is formalized as Timed Transition Systems (ITS). This formalization gives a reference expression of AADL semantics which can be compared with the TASM-based translation (for verification purpose). Finally, the verified transformation is mechanized in the theorem prover Coq. (C) 2014 Elsevier Inc. All rights reserved.

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.

Ehsan Ahmad,YunWei Dong,Brian Larson,JiDong Lü,Tao Tang,NaiJun Zhan

DOI: https://doi.org/10.1007/s11432-015-5346-2

2015-01-01

Science China Information Sciences

Abstract:Train control systems like most digital controllers are, by definition, hybrid systems as they interact with or try to control some aspects of the physical world. Detailed behavior modeling with constraints specification and formal verification, required for reliability prediction, is a great challenge for hybrid system designers. Train control systems further intensify this challenge with extensive interaction between computing units and their physical environment and their mutual dependence on each other. In this paper, we investigate behavior modeling and formal verification of Chinese Train Control System Level 3 (CTCS-3) using Architectural Analysis & Design Language (AADL) to cope with this challenge. AADL is an architecture description language for embedded systems and is based on model-based engineering paradigm. Along with structural modeling of embedded systems using the core language constructs, AADL also provides support for language extension through annex sublanguages. In system requirements specification document, the behavior of the CTCS-3 is specified as a set of basic operation scenarios that cooperate with each other to achieve safe and secure functionality of trains. Movement Authority (MA) scenario, explored in this paper, is considered as a basic and most crucial scenario to prevent trains from colliding with each other. The detailed discrete behavior of control system is modeled and verified using the Behavior Language for Embedded Systems with Software (BLESS) annex sublanguage of AADL, and the continuous behavior of train with the cyber–physical interaction (communication between train and control system) is modeled using the Hybrid annex sublanguage. The behavior of the MA scenario at system level is verified using the Hybrid Hoare Logic theorem prover. Behavior constraints are specified as assertions using first-order logic formulas augmented with a simple temporal operator.

Feng Zhang,Yongwang Zhao,Dianfu Ma,Wensheng Niu

DOI: https://doi.org/10.1109/access.2017.2770323

IF: 3.9

2017-01-01

IEEE Access

Abstract:AADL along with its Behavior Annex is an architecture and behavior description language for safety-critical domains, e.g. avionics, aerospace, and defence. In order to formally analyze behavior properties of AADL models, it is necessary to transform the AADL language into formal languages supported by formal verification tools. Moreover, comprehensive formal verification of AADL models highly requires that the transformation supports larger subset of the AADL language, as well as verification tools are able to capture various behavior of AADL, such as concurrency and timing. As an extended communicating sequential process (CSP), stateful timed CSP with its model checker-PAT provide an strongly expressive language and verification tool for real-time systems, distributed systems, and concurrent systems. This paper introduces a model transformation approach from a comparatively complete subset of AADL to stateful timed CSP, in particular supporting major components of AADL Behavior Annex. We propose a comprehensive set of transformation rules for AADL to stateful timed CSP. Then, we perform formal verification in PAT to analyze concurrent behavior properties of AADL models, such as safety, liveness, and trace refinement with various fairness assumptions, in which we consider time capacities, deadlines, periods of AADL threads and durations of AADL processes. As a study case, we develop an AADL model of F-16 “Auto Pilot Controller”and transform the model into Stateful Timed CSP. We specify a set of critical properties of the model and perform formal verification in PAT.

YH Du,LF Ai,CH Liu

DOI: https://doi.org/10.1109/grc.2005.1547327

2005-01-01

Abstract:Petri nets and temporal logic are efficient tools to study concurrent systems, but each has their own shortages. Thus, we introduce temporal Petri nets to model, analyze and verify train safety comprehensive monitoring system. On one hand, we describe frameworks of this system using Petri nets. On the other hand, we use temporal logic to describe temporal relationships of system states. Then, we analyze and verify the properties of model and conclude that the system is reliable and effective.

Jing Liu,Tengfei Li,Zuohua Ding,Yuqing Qian,Haiying Sun,Jifeng He

DOI: https://doi.org/10.1007/s11704-018-7039-7

IF: 2.6688

2018-01-01

Frontiers of Computer Science

Abstract:AADL (architecture analysis and design language) concentrates on the modeling and analysis of application system architectures. It is quite popular for its simple syntax, powerful functionality and extensibility and has been widely applied in embedded systems for its advantage. However, it is not enough for AADL to model cyber-physical systems (CPS) mainly because it cannot be used to model the continuous dynamic behaviors. This paper proposes an approach to construct a new sublanguage of AADL called AADL+, to facilitate the modeling of not only the discrete and continuous behavior of CPS, but also interaction between cyber components and physical components. The syntax and semantics of the sublanguage are provided to describe the behaviors of the systems. What’s more, we develop a plug-in to OSATE (open-source AADL tool environment) for the modeling of CPS. And the plug-in supports syntax checking and simulation of the system model through linking with modelica. Finally, the AADL+ annex is successfully applied to model a lunar rover control system.

Ying Zhou,Min Zhu,Xufang Gong,Bixin Li

DOI: https://doi.org/10.3233/978-1-61499-796-2-15

2017-01-01

Abstract:With the development of sensor network and embedded system, Cyber-Physical System (CPS) integrating computation, communication and control is becoming the focus of attention gradually. Obvious problems have emerged when CPS applying to various industries. It is crucial that the designed CPS can work as expect. A growing number of researchers are concerned about the property verification of CPS since verification technique has played a key role in improving the security and reliability of systems. It is a commonly used method that transforming generic model to formal model for verification. A formal method of theorem proving has well applied to verify CPS based on Differential Dynamic Logic (DDL) which operating model named Hybrid Program proposed by A. Platzer. This paper introduced HybridUML to model CPS, presented a method to verify CPS using DDL, where model was transformed from HybridUML to Hybrid Program, and verified a case study with the resulting model finally.

Fu Zhang,Dong-Xia Cao,Jingwei Cheng

DOI: https://doi.org/10.6688/JISE.201911_35(6).0007

2019-01-01

Journal of information science and engineering

Abstract:Spatio-temporal data modeling is an important basis for spatio-temporal data management. Unified Modeling Language (UML) is a widely used modeling language. Therefore, how to model spatio-temporal data based on UML and then how to further verify the correctness of the spatio-temporal UML models have become important issues. In this paper we propose a spatio-temporal UML model and a Description Logic (DL) method for verifying the model. First of all, we present a UML-based spatio-temporal data model. Also, an abstract definition and semantic description of the spatio-temporal UML models are given, and a case of cadastral change process is provided. Then, by adding some special concepts, roles, and axioms into the DL ALCIQ, a method for mapping the spatio-temporal UML models to ALCIQ knowledge bases is proposed, and a mapping example is provided. Further, several verification tasks of the spatio-temporal UML models are equivalently converted to the inference problems of the mapped ALCIQ knowledge bases, and the inference results can be returned and the verification of spatio-temporal UML models are realized with the help of the DL inference abilities.

Yuvaraj Selvaraj,Wolfgang Ahrendt,Martin Fabian

DOI: https://doi.org/10.48550/arXiv.2204.06873

2022-04-14

Abstract:The challenges in providing convincing arguments for safe and correct behavior of automated driving (AD) systems have so far hindered their widespread commercial deployment. Conventional development approaches such as testing and simulation are limited by non-exhaustive analysis, and can thus not guarantee correctness in all possible scenarios. Formal methods is an approach to provide mathematical proofs of correctness, using a model of a system, that could be used to give the necessary arguments. This paper investigates the use of differential dynamic logic and the deductive verification tool KeYmaera X in the development of an AD feature. Specifically, formal models and safety proofs of different design variants of a Decision & Control module for an in-lane AD feature are presented. In doing so, the assumptions and invariant conditions necessary to guarantee safety are identified, and the paper shows how such an analysis helps during the development process in requirement refinement and formulation of the operational design domain. Furthermore, it is shown how the performance of the different models is formally analyzed exhaustively, in all their allowed behaviors.

Systems and Control

Xiaoxiang Zhai,Qiaoqiao Chen,Shunhui Ji,Bixin Li

DOI: https://doi.org/10.1109/qsic.2012.11

2012-01-01

Abstract:In CPS (cyber-physical systems), computation is integrated with physical processes, computer system is used to monitor and interact with the physical world to realize maximization of benefit and usage. The model and verification for cyber physical systems are two important and challenge problems because CPS has not only heterogeneous nature but also very complicated structure and relationships among its components. In this paper, a unified framework is proposed to model and verify CPS, where CPS is modeled in forms of HybridUML models, then these HybridUML models are transformed to different operating models of Differential Dynamic Logic (DL), and finally some CPS properties are specified using DDL equations and verified using DDL reasoning rules.