BookPDF Available

Industrial-Strength Formal Methods in Practice

Authors:
Michael G. Hinchey
Michael G. Hinchey
Michael G. Hinchey
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Jonathan Peter Bowen at London South Bank University
Jonathan Peter Bowen
Download full-text PDF
Read full-text
Download citation

Abstract

Industrial Strength Formal Methods in Practice provides hands-on experience and guidance for anyone who needs to apply formal methods successfully in an industrial context. Each chapter is written by an expert in software engineering or formal methods, and contains background information, introductions to the techniques being used, actual fragments of formalised components, details of results and an analysis of the overall approach. It provides specific details on how to produce high-quality software that comes in on-time and within budget. Aimed mainly at practitioners in software engineering and formal methods, this book will also be of interest to the following groups; academic researchers working in formal methods who are interested in evidence of their success and in how they can be applied on an industrial scale, and students on advanced software engineering courses who need real-life specifications and examples on which to base their work.
Content uploaded by Jonathan Peter Bowen
Author content
All content in this area was uploaded by Jonathan Peter Bowen on May 09, 2014
Content may be subject to copyright.
Mathematicians are very happy to discuss things that don’t
exist, but engineers are very unhappy about it.
Maurice V. Wilkes (10 May 1999)
vi
Preface
Computer design is an engineering discipline, not a mathematical one.
Maurice V. Wilkes
1
(10 May 1999)
It is jokingly said that in any report one should address all of the thorny issues
straight away, and ignore them thereafter, whether they have been resolved or not.
Therefore we will make the sole mention of Y2K and the so-called “Millennium
Bug” in this collection here in the preface.
This book is not about the problems that will/could/might occur on 1 January,
2000, and was never intended to be. However, concerns over that event do make
the publication of this collection particularly timely. The amount of publicity that
the “Y2K problem” has attracted has brought to people’s attention that much of
software development has, in the past, been rather
ad hoc
, often careless, and has
taken place without consideration for the longevity of software, and the influence
that software systems have on so many aspects of our lives. (For technical details on
the specification and design of high-quality software, the reader is referred to High-
Integrity System Specification and Design (Bowen and Hinchey, 1999), published
recently, also in the FACIT series.)
Many would argue that software is never truly “engineered” in the sense that
buildings, bridges, chemical plants, and, even, hardware systems are. Although they
have been available for three decades now, formal methods are still too often seen
as a mathematical “toy” exercise for academics. We dispute this fact, however, and
we hope that the papers in this collection will help to convince skeptics that formal
methods can indeed be applied at a scale suitable for industrial practice. That “proof
of concept” was the goal of a previous collection, Applications of Formal Methods
(Hinchey and Bowen, 1995). This collection goes further, however, in that rather
than trying to illustrate that formal methods can be used in industrial practice, chap-
ters in this collection aim to guide the reader in actually applying formal methods to
industrial scale projects.
1
On the occasion of the 50th anniversary of the EDSAC computer at a British Computer
Society ComputerConservation Society (BCS-CCS)meetingheld atthe ScienceMuseum,
London.
viii Industrial-Strength Formal Methods in Practice
Chapter 1, by ourselves, the editors, highlights several “sins” often committed
by those attempting to apply formal methods. The chapter aims to give some general
guidelines that should help in the real-life application of formal methods.
In Chapter 2, Bernard and Laffitte describe their experiences using the B-
Method, a tool-supported formal software development approach, to automate sys-
tems used in conducting the French Census of Population in 1990. The system was
critical in that the statistical data would be used in making political decisions. Based
on their experiences, the authors discuss the relevance of B for industrial practice.
Anderson, in Chapter 3, describes a very interesting example of the use of for-
mal methods, namely the application of the BAN logic (developed by Burrows,
Abadi and Needham, to help in the formal reasoning about authentication) to an
electronic payment system where security considerations are paramount. The result
was a highly successful system and an example of how necessary formal methods
can be in particular circumstances.
Chapter 4, by Lano, Sanchez and Goldsack describes experiences with apply-
ing the B-Method in the development of chemical process control systems. It de-
scribes the authors’ experiences in applying the method, including how it can be
made industrially relevant, and gives excellent guidelines for large-scaleapplication
of formal methods in process control environments.
Hardware is the focus of Chapter 5, by Brock and Hunt, which describes the
application of ACL2 (A Computational Logic for Applicative Common Lisp) to
the verification of the Motorola DSP Complex Arithmetic Processor (CAP). This
involves a high level of assurance through the use of automated theorem proving
techniques and tool support, a key issue for formalisation.
Chapter 6, by Kesten et al., describes an application of formal methods to Inter-
net security. A combination of techniques was used, which exploits the benefits of
model-checking, an increasingly important issue in formal methods.
The topic of tool support is continued in Chapter 7, as Leveson, Heimdahl and
Reese describe a successful CAD environment used in the development of safety-
critical software systems.
The railway industry provides the application domain for Chapter 8, as Bjørner,
George and Prehn report on experiences with applying the RAISE tool-supported
formal development approach to the Chinese railway system. This was a particu-
larly large project spanning over a long period of time, and involving collaboration
between the railway authorities and Fellows at the United Nations University.
Jacky, in Chapter 9, reports on a large-scale critical system using the Z formal
specification notation, namely University of Washington’s experiences with the for-
mal specification and development of a radiation therapy machine.
Chapter 10, by Hall, is a fascinating paper, first published in IEEE Software,
describing experiences in the development of an air traffic control system for the
London airports, and pointing out many issues that anyone embarking on using
formal methods would be wise to consider.
The use of formal methods in tandem with other (less formal) notations is a
growing area of interest for the formal methods community. Chapter 11, by Sem-
Preface ix
mens and Bryant, describes their success in using the Rigorous Review Technique,
whereby formal methods (specifically the Z notation) are used to enable great in-
sights into specifications and designs produced using structured analysis techniques
and notations.
Z is also the focus of Chapter 12. Craigen, Meisels and Saaltink describe the use
of the Z/EVES tool for analysing Z specifications and proving properties of them.
While Z can be used simply as a notation to capture specifications unambiguously,
in practical industrial use, tool-support is required to check and reason about these
formal descriptions in order to help avoid human errors when large specifications
are involved.
Moore, Klinker and Mihelcic describe, in Chapter 13, how to approach formal
specification and verification in such a way that those certifying systems will be
convinced of the validity of the approach.
Chapter 14, by Ardis and Mataga, addresses the importance of domain engi-
neering and describes how to the tackle the ever-difficult problem of technology
transfer.
Verification, and in particular tool-supported verification, is also the subject of
Chapter 15, by Bor¨alv and St˚almarck, who report on their many years of successful
application of formal methods in a variety of industries.
Finally, Chapter 16, by Linger and Trammell, presents the Cleanroom approach
to software engineering. The approach places high emphasis on quality, with com-
ponents that fail to meet strict criteria being discarded.
Our thanks to all those who contributed to this collection, especially when one
of us tormented them over PostScript figures, deadlines, and other issues that at the
end of the day seem so trivial. And our special thanks to Michael Jackson for kindly
agreeing to write a foreword to the collection and to Maurice Wilkes for permission
to quote him at the start of the book.
We are very grateful to all at Springer-Verlag for their assistance and patience
during the prepartion of this book. In particular we would like to thank Rebecca
Mowat, Karen Barker, and especially Rosie Kemp.Additionally,Jane Bowen kindly
proofread Chapter 1 for us.
We hope that the collection will prove to be useful to you, the reader, whether
you are a student, an academic, or an industrialist wanting to know more about
formal methods or how to put formal methods into practice on an industrial scale.
Relevant information about this book will be kept up to date online at:
http://www.fmse.cs.reading.ac.uk/isfm/
M.G.H. J.P.B.
Omaha Reading
x Industrial-Strength Formal Methods in Practice
Contents
Foreword xiii
List of Contributors xv
1 It’s Greek to Me: Method in the Madness?
J.P. Bowen and M.G. Hinchey 1
2 The French Population Census for 1990
P. Bernard and G. Laffitte 15
3 The Formal Verification of a Payment System
R.J. Anderson 43
4 Specification of a Chemical Process Controller in B
K. Lano, S. Goldsack and A. Sanchez 53
5 Formal Analysis of the Motorola CAP DSP
B.C. Brock and W.A. Hunt, Jr. 81
6 Bridging the E-Business Gap Through Formal Verification
Y. Kesten, A. Klein, A. Pnueli and G. Raanan 117
7 A CAD Environment for Safety-Critical Software
N. Leveson, M. Heimdahl and J.D. Reese 139
8 Scheduling and Rescheduling of Trains
D. Bjørner, C. George and S. Prehn 157
9 Lessons from the Formal Development of a Radiation Therapy
Machine Control Program
J. Jacky 185
10 Using Formal Methods to Develop an ATC Information System
A. Hall 207
xii Industrial-Strength Formal Methods in Practice
11 Rigorous Review Technique
L. Semmens and T. Bryant 231
12 Analysing Z Specifications with Z/EVES
D. Craigen, I. Meisels and M. Saaltink 255
13 How to Construct Formal Arguments that Persuade Certifiers
A.P. Moore, J.E. Klinker and D.M. Mihelcic 285
14 Formal Methods Through Domain Engineering
M. Ardis and P. Mataga 315
15 Formal Verification in Railways
A. Bor
¨
alv and G. St
˚
almarck 329
16 Cleanroom Software Engineering: Theory and Practice
R.C. Linger and C.J. Trammell 351
References 373
Index 391
Foreword
Henry Buckle, the nineteenth-century English historian, asked himself why histori-
ans had been unable to discover general laws and principles and calculi of the kind
and quality that mathematicians and physicists and chemists had found with such
spectacular success. He concluded that historians were simply inferior to the sci-
entists “...no one having devoted himself to history who in point of intellect is at
all to be compared with Kepler, Newton, or many others ...”. But he also believed
that within another century history would assimilate the methods and principles of
natural science and would itself become a respectable science.
The earliest and most impassioned advocates of formal methods sometimes
sounded like Buckle. Softwaredevelopmentpractitioners, theyimplied, were simply
the intellectual inferiors of the researchers and academics who had devised mathe-
matically sound development methods. Practitioners should learn and adopt formal
methods and their difficulties would melt away. But these advocates, like Buckle,
had failed to understand the nature of the work.
Certainly, many aspects of software development, as of history, can profitably
draw on formal reasoning and calculation. But serious software developments are
about the real world, and there is more in heaven and earth than is dreamt of in
the philosophy of mathematical formalisms. The formal system embodied in the
computer and its software must interact with the inherently informal world of human
beings and physical nature, where its whole purpose resides.A very large part of the
software engineering task is to analyse and describe that inherently informal world,
and the system’s purpose within it, well enough to ensure the practical achievement
of that purpose. This is not a work of formal reasoning or refinement or calculation:
it is a work of formalisation and description — the necessary prelude to the formal
parts of the work.
Today’s advocates of formal methods understand this much better than their
impassioned predecessors, and their work is correspondingly more convincing and
more valuable. The editors themselves write in their introductory chapter: “One of
the most difficult aspects [in the application of formal techniques] is learning to
model reality with sufficient accuracy”. They recognise that “Often it is best to use
formal methods with a light touch, applying them only when extra assurance is
required for the development of a difficult part of a large system”, and that “The
process of producing the formalisation is as important as, or perhaps even more
important than, the resulting specification itself ...”.
xiv Industrial-Strength Formal Methods in Practice
This, then, is not a book of dogma. It is afruit of many substantial and successful
applications of formal methods to serious and often safety-critical developments.
The application areas includeprocess control, population census, railway signalling,
air traffic control, telecommunications and radiotherapy. The methods used include
B, Z, VDM and CSP. Customers for the systems include large organisations already
possessing a large store of software development experience.
The authors of the contributedchapters show a wide appreciation of the range of
factors that may be important in a development. They recognise that development
must be supported by convincing justification of the formal model; that formal rea-
soning must be made intelligible to the customer; and that in a world that is informal
not bounded
a priori
testing is absolutely necessary and can neverbe dispensed
with in favour of complete reliance on formal proofs. They also recognise that the
development process itself is subject to human error, and that the resulting systems
must therefore be analysed, like the products of established engineering disciplines,
for their potential modes of failure.
In short, both experience and advocacy of formal methods are coming of age.
This book is a rich record of much that has been learned in the progression from the
naivete of childhood to the practical common sense of more mature years.
Michael A. Jackson
London, June 1999
List of Contributors
Ross J. Anderson, University of Cambridge Computer Laboratory, Cambridge,
UK
Mark Ardis, Software Production Research Department, Bell Laboratories, Lu-
cent Technologies, NJ, USA
Pascal Bernard, Philips Consumer Communications, Le Mans, France
Dines Bjørner, Technical University of Denmark, Department of Information
Technology, Lyngby, Denmark
Arne Bor
¨
alv, Prover Technology AB, Stockholm, Sweden
Jonathan P. Bowen, The University of Reading, Department of Computer Sci-
ence, Reading, UK
Bishop C. Brock, IBM Corporation, Austin, TX, USA
Tony Bryant, Leeds Metropolitan University, Leeds, UK
Chris George, United Nations University, International Institute for Software
Technology, Macau
Stephen Goldsack, Imperial College, Department of Computing, London, UK
Dan Craigen, ORA Canada, Ottawa, Ontario, Canada
Anthony Hall, Praxis, Bath, UK
Mats P.E. Heimdahl, University of Minnesota, Department of Comptuer Science
and Engineering, Minneapolis, MN, USA
Mike Hinchey, University of Nebraska-Omaha, Department of Computer Science,
Omaha, NE, USA
Warren A. Hunt, Jr., IBM Corporation, Austin, TX, USA
Jonathan Jacky, University of Washington, Department of Oncology, Seattle,
WA, USA
Yonit Kesten, Ben Gurion University, Department of Communication Systems,
Beer-Sheva, Israel
Amit Klein, Perfecto Technologies Limited, Herzelia, Israel
J. Eric Klinker, Naval Research Laboratories, Washington DC, USA
Guy Laffitte, Institut National de la Statistique et des
´
Etudes
`
Economique (IN-
SEE), Nantes, France
Kevin Lano, Imperial College, Department of Computing, London, UK
xvi Industrial-Strength Formal Methods in Practice
Nancy G. Leveson, Department of Aeronautics and Astronautics, Massachussetts
Institute of Technology, Cambridge, MA, USA
Richard C. Linger, Software Engineering Institute, Carnegie Mellon University,
Pittsburgh, PA, USA
Peter Mataga, Software Production Research Department, Bell Laboratories, Lu-
cent Technologies, NJ, USA
Irwin Meisels, ORA Canada, Ottawa, Ontario, Canada
David M. Milhelcic, Naval Research Laboratories, Washington D.C., USA
Andrew P. Moore, Naval Research Laboratories, Washington D.C., USA
Søren Prehn, TERMA Elektronik AS, Birkerod, Denmark
Amir Pnueli, Weizmann Institute of Science, Rehovot, Israel
Gil Raanan, Perfecto Technologies Limited, Herzelia, Israel.
Jon D. Reese, Safeware Engineering Corporation, Seattle, WA, USA
Mark Saaltink, ORA Canada, Ottawa, Ontario, Canada
Arturo Sanchez, Imperial College, Department of Chemistry, London, UK
Lesley Semmens, Leeds Metropolitan University, Leeds, UK
Gunnar St
˚
almarck, Prover Technology AB, Stockholm, Sweden
Carmen J. Trammell, CTI-PET Systems, Inc., Knoxville, TN, USA

Chapters (10)

It’s Greek to Me: Method in the Madness?
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.1-14
The use of formal methods is fraught with difficulties, any one of which could cause the downfall of a project depending on their use. We enumerate a number of pitfalls which should be avoided in order to help make sure a formal methods project is successful, together with some guidance on the use of formal methods in the overall design process. While this cannot ensure favourable results, it will help to avoid failure, which is ail too easy an outcome (see, for example (Neil et al, 1998)).
Specification of a Chemical Process Controller in B
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.53-80
This chapter shows the combined use of formal methods with techniques developed in control engineering for the design and development of automation systems for discrete-event processes. On the one hand, formal methods guarantee the correct implementation of a given specification. On the other, control engineering techniques are used to develop a specification which is guaranteed to satisfy operational and safety requirements.
A CAD Environment for Safety-Critical Software
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.139-156
The goal of the University of Washington, University of Minnesota, and Safeware Engineering Corporation Safety-Critical Systems Projects is to develop a theoretical foundation for software safety and to build a methodology upon that foundation. This paper describes the methodology and a set of safety analysis techniques (and prototype tools) to support it. The prototype tools are being developed in order to evaluate the techniques. To ensure that the procedures scale up to realistic systems, the tools and techniques are being evaluated on real systems, including TCAS II (Traffic Alert and Collision Avoidance System), an airborne collision avoidance system required on most aircraft that fly in U.S. airspace, a NASA experimental flight management system, a NASA robot used to service tiles on the Space Shuttle, and proposed upgrades to the U.S. Air Traffic Control System.
Scheduling and Rescheduling of Trains
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.157-184
The PRaCoSy (Peoples Republic of China Railway Computing System) project was a collaborative project between the Chinese Ministry of Railways and UNU/IIST, the United Nations University International Institute for Software Technology in Macau. The first phase ran from September 1993 to December 1994 and the second from August 1995 to March 1996.
Using Formal Methods to Develop an ATC Information System
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.207-229
The air traffic management system in the UK is being upgraded to handle increasing traffic levels. One of the aspects of this upgrade is the development of the Central Control Function (CCF), a new way of handling terminal traffic. CCF provides controllers in the London Area and Terminal Control Centre (LATCC) with automated support for their new roles. In particular, CCF includes Approach Sequencing, a function for generating and manipulating the sequence of flights inbound to a major airport complex (MAC) such as Heathrow or Gatwick. The automated support is provided by a number of systems, including upgrades to the National Airspace System (NAS),a new radar system, an Airport Data Information System (ADIS), a new digital closed circuit television and a new information system, CCF Display Information System (CDIS).
Rigorous Review Technique
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.231-254
The Rigorous Review Technique (RRT) emerged from a research project estabiished between Leeds Metropolitan University (at that time called Leeds Polytechnic) and British Telecom (BT). In the late 1980s a small group of researchers at LMU started work on the integration of formal and structured approaches, with the objective of finding ways in which the two forms could complement each other. This would allow the strengths of the differing approaches to be combined within an integrated method. The strength of the structured methods derived from their concern for software management and productivity; stressing the planning, monitoring and control aspects of software production on a large scale. Formal methods on the other hand emanated from a focus on reliability and correctness; stressing production of error-free code, developed through use of formal languages and specification techniques, incorporating proofs based on mathematical models. Our aim and intention was to harness the reasoning power of the mathematically-based specification to the management and project-based discipline of structured development.
Analysing Z Specifications with Z/EVES
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.255-283
This chapter illustrates the use of the Z notation in a formal specification (of the Sliding Window protocol), and shows how Z/EVES (Saaltink, 1997b; Saaltink and Meisels, 1995) can be used to analyse and validate the specification.
Formal Methods Through Domain Engineering
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.315-328
It is almost an article of faith among advocates of formai methods that the major benefits should be most evident for large, complex software systems — yet there are few examples of the use of formal specification and analysis techniques in such systems. This is in large part because of the lack of attention paid by the formal methods community to the technology transfer process and the realities of large software development.
Formal Verification in Railways
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.329-350
The motive for adopting a formal method is an improved development process with resource savings, a reduced number of errors, and reduced time-to-market. That formal methods potentially can give these benefits is not very controversial since formal methods consider software construction just like construction in any other traditional engineering discipline: by model building and model analysis before construction and production takes place. A model is an abstraction of a system to be constructed with the advantage that it can be analysed thoroughly for its intended, and also unintended, design characteristics. This prior-to construction analysis is used in many traditional engineering disciples, e.g., in mechanics of materials in order to establish the solidity of constructions. It seems very likely that, with the appropriate methodology and tool support, prior-to construction analysis based on mathematics and logic is equally beneficial to use in software development as related methods are in traditional engineering disciplines.
Cleanroom Software Engineering: Theory and Practice
Chapter
  • Jan 1999
  • Industrial-Strength Formal Methods in Practice
  • pp.351-372
Cleanroom software engineering is a rigorous engineering discipline for the development and certification of high-reliability software systems under statistical quality control (Mills, 1992; Linger, 1993, 1994). The Cleanroom name is borrowed from hardware cleanrooms, with their emphasis on process control and focus on defect prevention rather than defect removal. Cleanroom combines mathematically-based methods of software specification, design, and correctness verification with statistical usage testing to certify software fitness for use.
... Over the past decades, there has been ample research on shape perception in different fields such as (neuro-)psychology [4,12,13,22,30,31,41,45,50,54,66], computer vision [15,47,49,71], and deep learning [3,25,38,63]. Although so far no complete understanding of the shape domain has emerged, there exist some common themes that appear in multiple approaches, such as the distinction between global structure and local surface properties [3,4,12,30], or candidate features such as aspect ratio [4,12,15,45,47,50,66,71], curvature [12,13,15,47,50,66,71], and orientation [4,15,31,45,54,66,71]. ...
... Over the past decades, there has been ample research on shape perception in different fields such as (neuro-)psychology [4,12,13,22,30,31,41,45,50,54,66], computer vision [15,47,49,71], and deep learning [3,25,38,63]. Although so far no complete understanding of the shape domain has emerged, there exist some common themes that appear in multiple approaches, such as the distinction between global structure and local surface properties [3,4,12,30], or candidate features such as aspect ratio [4,12,15,45,47,50,66,71], curvature [12,13,15,47,50,66,71], and orientation [4,15,31,45,54,66,71]. ...
... Over the past decades, there has been ample research on shape perception in different fields such as (neuro-)psychology [4,12,13,22,30,31,41,45,50,54,66], computer vision [15,47,49,71], and deep learning [3,25,38,63]. Although so far no complete understanding of the shape domain has emerged, there exist some common themes that appear in multiple approaches, such as the distinction between global structure and local surface properties [3,4,12,30], or candidate features such as aspect ratio [4,12,15,45,47,50,66,71], curvature [12,13,15,47,50,66,71], and orientation [4,15,31,45,54,66,71]. ...
Software Engineering and Formal Methods. SEFM 2021 Collocated Workshops.
Book
  • Oct 2022
This volume constitutes revised selected papers from the four workshops collocated with the 19th International Conference on Software Engineering and Formal Methods, SEFM 2021, held virtually during December 6–10, 2021. The 21 contributed papers presented in this volume were carefully reviewed and selected from a total of 29 submissions. The book also contains 3 invited talks. SEFM 2021 presents the following four workshops: CIFMA 2021 - 3rd International Workshop on Cognition: Interdisciplinary Foundations, Models and Applications; CoSim-CPS 2021 - 5th Workshop on Formal Co-Simulation of Cyber-Physical Systems; OpenCERT 2021 - 10th International Workshop on Open Community approaches to Education, Research and Technology; ASYDE 2021 - 3rd International Workshop on Automated and verifiable Software sYstem Development. Due to the Corona pandemic this event was held virtually.
View
... 3. The practice undertaken by the community in this domain, developing its knowledge, sometimes formalized as a Body of Knowledge (BoK) [49] see also Section 4. The formal methods community encourages the transfer of research ideas into practical use [65,66]. Some formal methods approaches have been used in industrial-scale software-based projects, although information on these can be dicult to promulgate due to commercial sensitivities and Non-Disclosure Agreements. ...
Formal Methods Communities of Practice: A Survey of Personal Experience
Chapter
  • Sep 2022
This paper surveys certain Communities of Practice (CoP) in the field of formal methods for software engineering, especially with respect to state-based notations, using personal knowledge and experience. The multiple communities involved with formal methods are examined here as related CoPs. In this context, the CoPs are open communities encouraging participation by all those interested both in research and application. The authors have been involved with formal methods over several decades and for most of their careers, and it is hoped that the observations in this paper may help future community building to further the development of formal methods, and software engineering in general. The paper also relates the concepts of Networks of Practice (NoP) and Landscapes of Practice (LoP) to formal methods research and practice, and gives a brief introduction to the possibility of visualizing formal methods CoPs. A substantial bibliography is included at the end of the paper.
View
... In recent years, model-based system safety analysis methods have been developed to overcome the limitations of traditional analytical methods in handling complex coupling engineering problems [13][14][15][16][17][18][19]. Model-based safety analysis refers to the introduction of a complex system model that is specifically targeted at an object of study in the failure mode analysis [12,[20][21][22][23][24], that is, the utilization of an established model to test the system through simulation at each stage of failure mode analysis, in order to verify whether the system can operate according to the functional requirements. ...
Classification and Control of Key Factors Affecting the Failure of Aviation Piston Turbocharger Systems Using Model-Based System Safety Analysis
Article
Full-text available
  • Sep 2021
Turbocharging is an effective way to address the problem of reduction in power and increase in fuel consumption of aviation piston engines during high-altitude flight. However, turbochargers have greatly increased the degree of complexity of power systems. The model-based system safety analysis methods for the safety analysis of turbocharging systems are introduced in this study to overcome the limitations of the traditional safety analysis methods regarding complex matching and coupled safety issues. On the basis of the established system models and the formed failure mode work boundaries and safety boundaries, the column profile coordinates F of correspondence analysis with the numerical deviation of the key factors are used to identify the key factors affecting failure, thereby proposing safety control strategies in a targeted manner. Then, the failure probability of the turbocharging system is assessed through the Monte Carlo method. System failure modes and probabilities before and after the execution of safety control strategies are compared to accurately determine the effectiveness of those strategies. The verification examples show that a safety control strategy that adjusts the diameter of the wastegate e2 can reduce system failure probability and enhance safety level.
View
... Vibration signal is one of the most important signal which is widely used for machine health monitoring in the industry. Particularly, the vibration signal has been widely used for the detection of BF in industries [112]. A detailed critical comparison of BF using a motor current or vibration signal is presented in [113]. ...
Advanced Fault Diagnosis Techniques of Permanent Magnet Synchronous Motor using Voltage-Signal Analysis and Deep Learning
Thesis
Full-text available
  • Sep 2021
Permanent magnet synchronous motors (PMSMs) have recently gained popularity due to superior efficiency, ease of manufacturing, and high torque /power density including the internal permanent magnet variety. Despite the said advantages, the reliability of these machines is affected by multiple faults caused by electric, magnetic, and mechanical issues. In the PMSMs, inter-turn-short fault (ITSF), irreversible demagnetization fault (IDF), and bearing faults are the most frequently occurring which deteriorate the machine’s performance and can be responsible for catastrophic accidents. Early diagnosis of these faults is required to ensure the efficient and safe operation in the safety-critical applications. Furthermore, a comprehensive fault diagnostic system enables the early evolution of critical faults and subsequent deployment of suitable avoidance mechanism. A voltage signal is considered as a significant fault signature for the early diagnosis of the faults in the PMSM. A voltage/torque angle-based method is proposed for the detection and identification of the ITSF and IDF in the steady-state condition. The voltage angle for the healthy motor is first obtained using multivariate regression analysis (MRA) over the entire operating region. Later, a real-time voltage angle is compared with its corresponding healthy value for any potential variation caused by either ITSF or IDF. The IDF can occur either in the partial or uniform pattern in a PMSM. The uniform IDF does not disturb the symmetry of the machine which makes it extremely difficult to detect and separate from partial IDF. In order to distinguish between the uniform and partial IDF, a method based on the frequency patter of input-voltage/BEMF is proposed. The variation in the fundamental component of input-voltages/BEMF and additional even order harmonics caused due to IDF are used for the detection and classification of uniform and partial IDF. MRA is used for the prediction of the fundamental component of the input-voltage and compares it with the real-time voltage during operation. Any reduction in fundamental component of voltage at certain operating point and the presence of second and fourth-order harmonics ensures the presence of partial or uniform demagnetization. Moreover, there are other types of faults such as bearing fault, eccentricity fault, etc. also occur in PMSM. Therefore, a comprehensive fault diagnostic system is required to handle the aforementioned heterogeneous faults. Deep learning (DL) as being successful in classification of heterogeneous data is used to detect and classify the healthy machine, IDF, and bearing fault. DL has the potential to alleviate the limitations of manual feature extraction. It takes the raw signal as input and extracts all the features automatically for classification purposes. Thus, this method can be used for the diagnosis of any fault in the PMSM at any operating condition using their historic experimental data. The confluence of the time-domain vibration and frequency-domain stator current signals are used to train a variant of ImageNet pre-trained VGG network with 16 layers for the detection and classification of IDF and bearing faults. The proposed method achieves a state of the art accuracy of 96.65% for the classification of healthy, IDF, and bearing faults. The easy implementation, cost-effectiveness due to its noninvasive nature, robustness, and computational efficiency makes the first and second proposed methods a viable candidate for the efficient detection and identification of ITSF and IDF for certain applications. Furthermore, the proposed DL-based method offers a wide range and can be used for the diagnosis of any machine and inverter related faults with higher accuracy using small training data. Additionally, this method is capable to estimate the severity of each fault. All the three proposed methods are verified by simulation and experimental tests on a 400-watt IPMSM. Keywords: Permanent magnet synchronous motor, inter-turn-short fault, Irreversible demagnetization fault, bearing fault, fault diagnosis, artificial intelligence, deep learning, robust fault diagnosis.
View
... The mathematical notation employed in this paper is the formal, set-theoretic notation Z [25]. This notation has been applied in the design and development of large software systems [7,11,12]. It is particularly suitable for the definition of formal, denotational semantics: it allows more concise descriptions, through the naming and re-use of patterns of declaration and constraint, and it is supported by a range of open-source tools. ...
A formal, scalable approach to semantic interoperability
Article
Full-text available
  • Feb 2020
  • SCI COMPUT PROGRAM
Scientific progress is increasingly dependent upon the acquisition, processing, and analysis of large volumes of data. The validity of results and the safety of applications rely upon an adequate understanding of the real-world semantics of this data: its intended interpretation, and the context in which it is acquired and processed. This presents a challenge: interpretations vary, context is infinite, and either may change over time. This paper addresses that challenge. It introduces a language for the description of real-world semantics that allows for multiple, evolving interpretations, together with a high degree of automation in the capture and creation of contextual metadata. The language itself has a mathematical semantics, and supports a notion of semantic interoperability closely related to existing, formal notions of refinement. The language represents a scalable approach in three respects: it is compositional, in terms of composing real-world semantics piece by piece; it allows for multiple perspectives, allowing the parallel development of different interpretations; and it supports automatic transformations to and from implementation languages. The practical application of the approach is illustrated with examples from large-scale medical research.
View
... Collaboration with Mike Hinchey also continued on the use of formal methods [236], including a chapter in a large computer science and engineering handbook [236,406]. This culminated in two books in 1999, one on the industrial use of formal methods with contributed chapters (Industrial-Strength Formal Methods in Practice) [238,362]. The other book was on high-integrity system specification and design (High-Integrity System Specification and Design) [237], with classic papers, including some related to formal methods [239,240,277]. ...
A Personal Formal Methods Archive
Preprint
Full-text available
  • Oct 2019
A personal archive of material related to formal methods has been deposited at Swansea University by the author in 2018. This paper documents the contents of the archive and includes associated publications. The archival material forms part of a larger History of Computing Collection founded by Prof. John Tucker at Swansea in 2007 and held at the University. It is hoped that this paper can aid future archivists with placing the material in context.
View
Formal Methods in Railways: A Systematic Mapping Study
Article
Full-text available
  • Mar 2022
Formal methods are mathematically based techniques for the rigorous development of software-intensive systems. The railway signaling domain is a field in which formal methods have traditionally been applied, with several success stories. This article reports on a mapping study that surveys the landscape of research on applications of formal methods to the development of railway systems. Following the guidelines of systematic reviews, we identify 328 relevant primary studies, and extract information about their demographics, the characteristics of formal methods used and railway-specific aspects. Our main results are as follows: (i) we identify a total of 328 primary studies relevant to our scope published between 1989 and 2020, of which 44% published during the last 5 years and 24% involving industry; (ii) the majority of studies are evaluated through Examples (41%) and Experience Reports (38%), while full-fledged Case Studies are limited (1.5%); (iii) Model checking is the most commonly adopted technique (47%), followed by simulation (27%) and theorem proving (19.5%); (iv) the dominant languages are UML (18%) and B (15%), while frequently used tools are ProB (9%), NuSMV (8%) and UPPAAL (7%); however, a diverse landscape of languages and tools is employed; (v) the majority of systems are interlocking products (40%), followed by models of high-level control logic (27%); (vi) most of the studies focus on the Architecture (66%) and Detailed Design (45%) development phases. Based on these findings, we highlight current research gaps and expected actions. In particular, the need to focus on more empirically sound research methods, such as Case Studies and Controlled Experiments, and to lower the degree of abstraction, by applying formal methods and tools to development phases that are closer to software development. Our study contributes with an empirically based perspective on the future of research and practice in formal methods applications for railways. It can be used by formal methods researchers to better focus their scientific inquiries, and by railway practitioners for an improved understanding of the interplay between formal methods and their specific application domain.
View
Formal methods by stealth: The INSPEX experience
Article
  • Oct 2021
INSPEX is an INtegrated Smart sPatial EXploration system. It relies on a family of sensors, like automated vehicles do, to provide enough information to a digital system for it to make reliable inferences about the location of obstacles and other impediments in its environment. Unlike the automated vehicle case, INSPEX is minaturised, because it is intended for lightweight applications and for portable use by humans, for example, visually impaired persons navigating outdoors (among many similar use cases). The complexity of this hardware-focused system merited the introduction of formal methods during its (essentially conventionally structured) development. The aim was to improve the dependability of parts of the implemented system and to estimate system characteristics via modelling and calculation that could not be obtained experimentally within the scope of the project. The paper overviews the experience of the very much human-in-the-loop use of formal techniques in the INSPEX Project and focuses particularly on the human issues that impacted the cooperation between the conventional techniques and formal methods.
View
New Requirements Elicited from Accidents of Train Control System Simulated by Modelica
Chapter
  • Jan 2018
Although train control system (TCS) is regarded relatively safe, accidents still happened from time to time. In this paper, we propose a simulation based approach to elicit new requirements from accidents and then modify the TCS to provide a more reliable and safer system. A Modelica system model is constructed to describe the structure and interactions of TCS according to the continuous behavior and discrete fault event of TCS devices. A Modelica accident model is also defined based on the system model in order to predict accidents. These Modelica models are simulated in Open Modelica until all scenarios (paths) are covered. By analyzing the simulation results which indicate the causes of accidents, we elicit new requirements, and modify the original system model. Simulation is used again to show that these modifications could effectively avoid such accidents. A case study is provided to validate our approach.
View
Additional Considerations for the Practitioner
Chapter
  • Nov 2011
Metrics in Software Engineering Predictive Cost Modeling Uncertainty in Real-Time Systems Design for Fault Tolerance Software Testing and Systems Integration Performance Optimization Techniques Summary Exercises References
View
Reduction and Slicing of Hierarchical State Machines
Article
Full-text available
  • Dec 1999
  • Software Eng Notes
. Formal specification languages are often criticized for being difficult to understand, difficult to use, and unacceptable by software practitioners. Notations based on state machines, such as, Statecharts, Requirements State Machine Language (RSML), and SCR, are suitable for modeling of embedded systems and eliminate many of the main drawbacks of formal specification languages. Although a specification language can help eliminate accidental complexity, the inherent complexity of many of today's systems inevitably leads to large and complex specifications. Thus, there is a need for mechanisms to simplify a formal specification and present information to analysts and reviewers in digestible chunks. In this paper, we present a two tiered approach to slicing (or simplification) of hierarchical finite state machines. We allow an analyst to simplify a specification based on a scenario. The remaining behavior, called an interpretation of the specification, can then be sliced t...
View
Software Production Research Department
  • G Nancy
  • Ma Leveson Cambridge
  • C Richard
  • Linger
Nancy G. Leveson, Department of Aeronautics and Astronautics, Massachussetts Institute of Technology, Cambridge, MA, USA Richard C. Linger, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA Peter Mataga, Software Production Research Department, Bell Laboratories, Lucent Technologies, NJ, USA Irwin Meisels, ORA Canada, Ottawa, Ontario, Canada David M. Milhelcic, Naval Research Laboratories, Washington D.C., USA Andrew P. Moore, Naval Research Laboratories, Washington D.C., USA Søren Prehn, TERMA Elektronik AS, Birkerod, Denmark Amir Pnueli, Weizmann Institute of Science, Rehovot, Israel Gil Raanan, Perfecto Technologies Limited, Herzelia, Israel.