Article

LSCs: Breathing Life into Message Sequence Charts

December 1998
Formal Methods in System Design 19(1)

December 1998
19(1)

DOI:10.1023/A:1011227529550

Source
CiteSeer

Authors:

Werner Damm

OFFIS

David Harel

Weizmann Institute of Science

: While message sequence charts (MSCs) are widely used in industry to document the interworking of processes or objects, they are expressively quite weak, being based on the modest semantic notion of a partial ordering of events as defined, e.g., in the ITU standard. A highly expressive and rigorously defined MSC language is a must for serious, semantically meaningful tool support for use-cases and scenarios. It is also a prerequisite to addressing what we regard as one of the central problems in behavioral specification of systems: relating scenario-based inter-object specification to state-machine intra-object specification. This paper proposes an extension of MSCs, which we call live sequence charts (or LSCs), since our main extension deals with specifying "liveness ", i.e., things that must occur. In fact, LSCs allow the distinction between possible and necessary behavior both globally, on the level of an entire chart and locally, when specifying events, conditions and progress ov...

Traffic Sequence Charts - From Visualization to Semantics

Technical Report

Full-text available

Oct 2017

We present a formalism for scenario based specification via Snapshot Charts (SCs). Snapshot Charts (SCs) are a specification formalism within Traffic Sequence Charts (TSCs), where Snapshot Charts describe the continuous evolution and Live Sequence Charts (LSCs) are used to describe the communication protocols. A snapshot can be thought of as a description of the current state. Like pages in a flip book, we can place snapshots in a sequel to tell a story about dynamic objects. Here, a single snapshot describes invariant properties of a sequel of time contiguous states that hold until the next snapshot. We describe the syntax and semantics of Snapshot Charts (SCs).

Enhancing Deep Reinforcement Learning with Scenario-Based Modeling

Article

Full-text available

Jan 2023

Deep reinforcement learning agents have achieved unprecedented results when learning to generalize from unstructured data. However, the “black-box” nature of the trained DRL agents makes it difficult to ensure that they adhere to various requirements posed by engineers. In this work, we put forth a novel technique for enhancing the reinforcement learning training loop, and specifically—its reward function, in a way that allows engineers to directly inject their expert knowledge into the training process. This allows us to make the trained agent adhere to multiple constraints of interest. Moreover, using scenario-based modeling techniques, our method allows users to formulate the defined constraints using advanced, well-established, behavioral modeling methods. This combination of such modeling methods together with ML learning tools produces agents that are both high performing and more likely to adhere to prescribed constraints. Furthermore, the resulting agents are more transparent and hence more maintainable. We demonstrate our technique by evaluating it on a case study from the domain of internet congestion control, and present promising results.

RoboCert: Property Specification in Robotics

Conference Paper

Oct 2022

RoboStar is a toolkit for model-based development using a domain-specific notation, RoboChart, with enriched UML-like state machines and a custom component model. We present RoboCert: a novel notation, based on UML sequence diagrams, which facilitates the specification of properties over RoboChart components. With RoboCert, we can express properties of a robotic system in a user-friendly, idiomatic manner. RoboCert specifications can be existential or universal, include timing notions such as deadlines and budgets, and both safety and liveness properties. Our work is faithful to UML where it can be, but presents significant extensions to fit the robotics application needs. RoboCert comes with tooling support for modelling and verification by model checking, and formal semantics in tock-CSP, the discrete-time variant of CSP.

Scenario-Assisted Deep Reinforcement Learning

Preprint

Feb 2022

Deep reinforcement learning has proven remarkably useful in training agents from unstructured data. However, the opacity of the produced agents makes it difficult to ensure that they adhere to various requirements posed by human engineers. In this work-in-progress report, we propose a technique for enhancing the reinforcement learning training process (specifically, its reward calculation), in a way that allows human engineers to directly contribute their expert knowledge, making the agent under training more likely to comply with various relevant constraints. Moreover, our proposed approach allows formulating these constraints using advanced model engineering techniques, such as scenario-based modeling. This mix of black-box learning-based tools with classical modeling approaches could produce systems that are effective and efficient, but are also more transparent and maintainable. We evaluated our technique using a case-study from the domain of internet congestion control, obtaining promising results.

Early timing analysis based on scenario requirements and platform models

Article

Full-text available

Apr 2022
SOFTW SYST MODEL

Distributed, software-intensive systems (e.g., in the automotive sector) must fulfill communication requirements under hard real-time constraints. The requirements have to be documented and validated carefully using a systematic requirements engineering (RE) approach, for example, by applying scenario-based requirements notations. The resources of the execution platforms and their properties (e.g., CPU frequency or bus throughput) induce effects on the timing behavior, which may lead to violations of the real-time requirements. Nowadays, the platform properties and their induced timing effects are verified against the real-time requirements by means of timing analysis techniques mostly implemented in commercial-off-the-shelf tools. However, such timing analyses are conducted in late development phases since they rely on artifacts produced during these phases (e.g., the platform-specific code). In order to enable early timing analyses already during RE, we extend a scenario-based requirements notation with allocation means to platform models and define operational semantics for the purpose of simulation-based, platform-aware timing analyses. We illustrate and evaluate the approach with an automotive software-intensive system.

Scenario-Based Algorithmics: Coding Algorithms by Automatic Composition of Separate Concerns

Article

Oct 2021

A method for programming reactive systems, called scenario-based algorithmics, can have several advantages, both in programming and in computer science education. We provide new examples, experiments, and perspectives.

Interweaving AI and Behavioral Programming Towards Better Programming Environments

Chapter

Jul 2021

Contract-Based Specification and Test Generation for Adaptive Systems

Chapter

May 2021

Control systems in railway, automotive or industrial robotic applications are generally tightly integrated into their environment to allow adapting to environmental changes. This paper proposes a contract-based specification and testing approach for adaptive systems based on the combination of a high-level scenario language (LSC variant) and an adaptive contract language (statechart extension). The scenario language supports high-level modeling constructs as well as configurable options for test generation. The adaptive contract language supports the flexible definition of scenario contract activation and deactivation based on environmental changes or interactions. Tests can be derived from adaptive contract descriptions using the combination of graph-traversal algorithms and integrated model checker back-ends. The applicability of the approach is demonstrated in the context of the Gamma framework.

Context-Oriented Behavioral Programming

Article

Full-text available

Dec 2020
INFORM SOFTWARE TECH

Achiya Elyasaf

Context Modern systems require programmers to develop code that dynamically adapts to different contexts, leading to the evolution of new context-oriented programming languages. These languages introduce new software-engineering challenges, such as: how to maintain the separation of concerns of the codebase? how to model the changing behaviors? how to verify the system behavior? and more. Objective This paper introduces Context-Oriented Behavioral Programming (COBP) — a novel paradigm for developing context-aware systems, centered on natural and incremental specification of context-dependent behaviors. As the name suggests, we combine behavioral-programming (BP) — a scenario-based modeling paradigm — with context idioms that explicitly specify when scenarios are relevant and what information they need. The core idea is to connect the behavioral model with a data model that represents the context, allowing an intuitive connection between the models via update and select queries. Combining behavioral-programming with context-oriented programming brings the best of the two worlds, solving issues that arise when using each of the approaches in separation. Methods We begin with providing abstract semantics for COBP and two implementations for the semantics, laying the foundations for applying reasoning algorithms to context-aware behavioral programs. Next, we exemplify the semantics with formal specifications of systems, including a variant of Conway’s Game of Life. Then, we provide two case studies of real-life context-aware systems (one in robotics and another in IoT) that were developed using this tool. Throughout the examples and case studies, we provide design patterns and a methodology for coping with the above challenges. Results The case studies show that the proposed approach is applicable for developing real-life systems, and presents measurable advantages over the alternatives — behavioral programming alone and context-oriented programming alone. Conclusion We present a paradigm allowing programmers and system engineers to capture complex context-dependent requirements and align their code with such requirements.

Categorizing methods for integrating machine learning with executable specifications

Article

Full-text available

Jan 2024

Deep learning (DL), which includes deep reinforcement learning (DRL), holds great promise for carrying out real-world tasks that human minds seem to cope with quite readily. That promise is already delivering extremely impressive results in a variety of areas. However, while DL-enabled systems achieve excellent performance, they are far from perfect. It has been demonstrated, in several domains, that DL systems can err when they encounter cases they had not hitherto encountered. Furthermore, the opacity of the produced agents makes it difficult to explain their behavior and ensure that they adhere to various requirements posed by human engineers. At the other end of the software development spectrum of methods, behavioral programming (BP) facilitates orderly system development using self-standing executable modules aligned with how humans intuitively describe desired system behavior. In this paper, we elaborate on different approaches for combining DRL with BP and, more generally, machine learning (ML) with executable specifications (ES). We begin by defining a framework for studying the various approaches, which can also be used to study new emerging approaches not covered here. We then briefly review state-of-the-art approaches to integrating ML with ES, continue with a focus on DRL, and then present the merits of integrating ML with BP. We conclude with guidelines on how this categorization can be used in decision making in system development, and outline future research challenges.

Constrained Reinforcement Learning for Robotics via Scenario-Based Programming

Preprint

Full-text available

Jun 2022

Deep reinforcement learning (DRL) has achieved groundbreaking successes in a wide variety of robotic applications. A natural consequence is the adoption of this paradigm for safety-critical tasks, where human safety and expensive hardware can be involved. In this context, it is crucial to optimize the performance of DRL-based agents while providing guarantees about their behavior. This paper presents a novel technique for incorporating domain-expert knowledge into a constrained DRL training loop. Our technique exploits the scenario-based programming paradigm, which is designed to allow specifying such knowledge in a simple and intuitive way. We validated our method on the popular robotic mapless navigation problem, in simulation, and on the actual platform. Our experiments demonstrate that using our approach to leverage expert knowledge dramatically improves the safety and the performance of the agent.

Improving Mixed-Signal Verification by Assertion Based Design

Conference Paper

Full-text available

Dec 2021

Nowadays mixed-signal systems are still verified by simulation. The verification process lacks on support of formal verification methods. To bridge the verification gap an assertion based design is essential. This requires formal assertions to describe the demanded temporal behavior. Therefore, we define a formal semantics for mixed-signal assertions. Our approach enables extracting formal mixed-signal assertions from an existing formal system specification in UML. The result is an improved assertion-based design method for verifying mixed-signal circuits which is demonstrated on a Σ/∆-converter.

Parallel Simulation of Cyber-Physical-Systems

Article

Full-text available

Sep 2021
Innovat Syst Software Eng

Model-based-design (MBD) in systems engineering is a well-accepted technique to abstract, analyse, verify, and validate complex systems. In MBD, we design a mathematical model of the system to virtually execute and test systems via model simulations to understand the system dynamics better. Computing model simulations have their challenges; one is to ensure that the simulation trajectory preserves the model semantics. Besides, computing many simulation trajectories over a long time horizon must be time-efficient for rapid respond to system engineers. In this work, we address these challenges in simulating models of Cyber-Physical Systems (CPS), particularly systems possessing mixed discrete-continuous dynamics. We focus on the subclass of CPS’s hybrid automata models, where Jump predicates are restricted to polygonal constraints and present a numerical simulation engine that can efficiently compute many random simulations in parallel by exploiting the parallel computing capability in modern multicore processors. Our simulation engine implements a lock-free parallel breadth-first-search (BFS) like algorithm and is implemented in the model-checking tool XSpeed. In addition, an application of our simulation engine in property verification of CPS models has been illustrated on two benchmarks. Some model coverage metrics have been defined that users of the tool can specify to set the desired thoroughness of testing with simulations. We demonstrate the performance gains of our simulation engine over SpaceEx and CORA, the modern model checkers and simulators for affine hybrid systems.

Iterative and Scenario-based Requirements Specification in a System of Systems Context

Preprint

Full-text available

Feb 2021

[Context&Motivation]Due to the managerial ,operational and evolutionary independence of constituent systems (CSs) in a System of Systems (SoS) context, top-down and linear requirements engineering (RE) approaches are insufficient. RE techniques for SoS must support iterating, changing, synchronizing, and communicating requirements across different abstraction and hierarchy levels as well as scopes of responsibility. [Question/Problem] We address the challenge of SoS requirements specification, where requirements can describe the SoS behavior, but also the behavior of CSs that are developed independently. [Principal Ideas] To support the requirements specification in an SoS environment, we propose a scenario-based and iterative specification technique. This allows requirements engineers to continuously model and jointly execute and test the system behavior for the SoS and the CS in order to detect contradictions in the requirement specifications at an early stage. [Contribution] In this paper, we describe an extension for the scenario-modeling language for Kotlin (SMLK) to continuously and formally model requirements on SoS and CS level. To support the iterative requirements specification and modeling we combine SMLK with agile development techniques. We demonstrate the applicability of our approach with the help of an example from the field of e-mobility.

Towards Repairing Scenario-Based Models with Rich Events

Preprint

Jan 2021

Guy Katz

Repairing legacy systems is a difficult and error-prone task: often, limited knowledge of the intricacies of these systems could make an attempted repair result in new errors. Consequently, it is desirable to repair such systems in an automated and sound way. Here, we discuss our ongoing work on the automated repair of scenario-based models: fully executable models that describe a system using scenario objects that model its individual behaviors. We show how rich, scenario-based models can be model-checked, and then repaired to prevent various safety violations. The actual repair is performed by adding new scenario objects to the model, and without altering existing ones - in a way that is well aligned with the principles of scenario-based modeling. In order to automate our repair approach, we leverage off-the-shelf SMT solvers. We describe the main principles of our approach, and discuss our plans for future work.

A framework for analyzing context-oriented programming languages

Article

Apr 2023
J SYST SOFTWARE

Model-based Analysis and Specification of Functional Requirements and Tests for Complex Automotive Systems

Preprint

Full-text available

Sep 2022

The specification of requirements and tests are crucial activities in automotive development projects. However, due to the increasing complexity of automotive systems, practitioners fail to specify requirements and tests for distributed and evolving systems with complex interactions when following traditional development processes. To address this research gap, we propose a technique that starts with the early identification of validation concerns from a stakeholder perspective, which we use to systematically design tests that drive a scenario-based modeling and automated analysis of system requirements. We discover that Natural Language Processing (NLP) techniques are suitable to automate the test-case design and hence enable the application of our technique to real-world stakeholder requirements. To ensure complete and consistent requirements and test specifications in a form that is required in automotive development projects, we develop a Model-Based Systems Engineering (MBSE) methodology. This methodology supports system architects and test designers in the collaborative application of our technique and in maintaining a central system model, in order to automatically derive the required specifications. We evaluate our methodology by applying it at KOSTAL (Tier1 supplier) and within student projects as part of the masters program Embedded Systems Engineering. Our study corroborates that our methodology is applicable and improves existing requirements and test specification processes by supporting the integrated and stakeholder-focused modeling of product and validation systems, where the early definition of stakeholder and validation concerns fosters a problem-oriented, iterative and test-driven requirements modeling.

La synchronisabilité pour les systèmes distribués

Thesis

Dec 2021

Laetitia Laversa

Les systèmes distribués sont omniprésents, cependant leur implémentation est complexe et sujette aux erreurs. Pour les vérifier, ils peuvent être modélisés en système d’automates communicants, où chaque automate représente le comportement d'un élément du système. Les propriétés liées à la vérification, telles que le problème de l'accessibilité, restent indécidables dans un tel modèle. En effet, un système d’automates communiquant de façon asynchrone est Turing équivalent. C’est pourquoi l'utilisation d'approximations est donc nécessaire. La k-synchronisabilité est l’une de ces approximations. Un système est k-synchronisable si pour toute exécution, il existe une exécution équivalente pouvant être divisée en phases, appelées k-échanges, contenant k messages. Dans cette thèse, nous nous intéressons à l'analyse des systèmes k-synchronisables : nous montrons que le problème de l’accessibilité est décidable et nous nous interrogeons sur la k-synchronisabilité d’un système donné. Pour ce deuxième point, nous regardons le cas où un k est passé en paramètre, et le cas où il faut trouver le k tel que le système est k- synchronisable. Nous prouvons que ces deux problèmes sont décidables lorsque le système communique en boîte aux lettres. Le premier problème est également décidable en pair-à-pair, mais, avec ce type de communication, le deuxième problème reste ouvert. Nous complétons cette étude en identifiant certaines implications contre-intuitives de la notion de k-synchronisabilité, celles-ci nous ont poussés à définir des variantes de la k-synchronisabilité. Une étude comparative de différentes classes de systèmes, soit étudiées ou définies dans cette thèse, soit provenant de la littérature, conclut nos travaux.

Testing Reactive Systems Using Behavioural Programming, a Model Centric Approach

Preprint

Full-text available

Dec 2021

Yeshayahu Weiss

Testing is a significant aspect of software development. As systems become complex and their use becomes critical to the security and the function of society, the need for testing methodologies that ensure reliability and detect faults as early as possible becomes critical. The most promising approach is the model-based approach where a model is developed that defines how the system is expected to behave and how it is meant to react. The tests are derived from the model and an analysis of the test results is conducted based on it. We will investigate the prospects of using the Behavioral Programming (BP) for a model-based testing (MBT) approach that we will develop. We will develop a natural language for representing the requirements. The model will be fed to algorithms that we will develop. This includes algorithms for the automatic creation of minimal sets of test cases that cover all of the system's requirements, analysing the results of the tests, and other tools that support the testing process. The focus of our methodology will be to find faults caused by the interaction between different requirements in ways that are difficult for the testers to detect. Specifically, we will focus our attention to concurrency issues such as deadlocks and logical race condition. We will use a variety of methods that are made possible by BP, such as non-deterministic execution of scenarios and use of in-code model-checking for building test scenarios and for finding minimal coverage of the test scenarios for the system requirements using Combinatorial Test Design (CTD) methodologies. We will develop a proof-of-concept tool kit which will allow us to demonstrate and evaluate the above mentioned capabilities. We will compare the performance of our tools with the performance of manual testers and of other model-based tools using comparison criteria that we will define and develop.

Integrated and Iterative Requirements Analysis and Test Specification: A Case Study at Kostal

Conference Paper

Oct 2021

Currently, practitioners follow a top-down approach in automotive development projects. However, recent studies have shown that this top-down approach is not suitable for the implementation and testing of modern automotive systems. Specifically, practitioners increasingly fail to specify requirements and tests for systems with complex component interactions (e.g., e-mobility systems). In this paper, we address this research gap and propose an integrated and iterative scenario-based technique for the specification of requirements and test scenarios. Our idea is to combine both a top-down and a bottom-up integration strategy. For the top-down approach, we use a behavior-driven development (BDD) technique to drive the modeling of high-level system interactions from the user's perspective. For the bottom-up approach, we discovered that natural language processing (NLP) techniques are suited to make textual specifications of existing components accessible to our technique. To integrate both directions, we support the joint execution and automated analysis of system-level interactions and component-level behavior. We demonstrate the feasibility of our approach by conducting a case study at Kostal (Tier1 supplier). The case study corroborates, among other things, that our approach supports practitioners in improving requirements and test specifications for integrated system behavior.

An operational semantics of interactions for verifying partially observed executions of distributed systems

Thesis

Jul 2021

Erwan Mahe

Interactions represent asynchronous communications in a distributed context and can be represented graphically in an intuitive manner while allowing the specification of precise scheduling policies for ordering events. In this thesis, we formalize such models as an Interaction Language (IL) taking the form of a term algebra which includes strict and weak sequencing, alternative and parallel composition and four semantically distinct loops to express nuances when repeating behaviors.This IL is equipped with a semantics associating a set of traces (sequences of events) to each interaction. A denotational formulation as a homomorphism allows the use of rewriting to define equivalence classes and normal forms. An operational formulation, proven equivalent to the first, allows further applications in formal verification.During the execution of a distributed system, communication logs might be collected locally. Without a global clock, events cannot be reordered globally. Hence analyzing an execution comes back to analyzing a set of local traces that we call a multi-trace. In addition one might start the observation too late or end it too early on any local component. As a result, a multi-trace might correspond to a partially observed execution. Taking advantage of the operational semantics we define algorithms for identifying multi-traces as being observations of behaviors specified by an interaction model.We have implemented our approach in a formal verification tool: HIBOU, which allows the specification and drawing of interactions, the exploration of their semantics, the computation of normal forms or the analysis of multi-traces.The IL can be extended to include data in the form of locally defined variables. Guards, formulated as Boolean expressions on variables can condition the execution of individual actions, while messages can carry data.This extension has also been implemented and we use symbolic execution to animate models and perform the analyses. An industrial case study has been carried out in the context of the DisTA FUI project.

Model-based Requirement Pattern Catalog

Technical Report

Full-text available

Oct 2017

Scenario-based requirements engineering addresses the message-based coordination of software-intensive systems and enables, if underpinned with formal languages, automatic requirements validation techniques for improving the quality of a requirements specification. One of such requirements engineering approaches bases on a recent visual Live Sequence Chart variant compliant to the Unified Modeling Language, so-called Modal Sequence Diagrams (MSDs). The usage of patterns is known to be constructive thanks to assembling solutions by means of reusable building blocks that are proven in practice, so that recurring problems do not need to be solved over and over again. Thus, patterns also gained momentum in the area of requirements documentation. In this technical report, we introduce a model- and scenario-based pattern catalog for MSD requirements. Our MSD requirement pattern catalog consolidates and unifies 86 requirement patterns from three well-known, practice-oriented requirement pattern catalogs, each covering different aspects.

Multi-Level Message Sequence Charts to Validate the Collaborative Automotive Cyber-Physical Systems

Article

Full-text available

Jan 2021

Integrated and Iterative Requirements Analysis and Test Specification: A Case Study at Kostal

Preprint

Full-text available

Jul 2021

Towards a framework for analyzing context-oriented programming languages

Conference Paper

Jul 2021

Scenario-based specification of security protocols and transformation to security model checkers

Conference Paper

Full-text available

Oct 2020

Systematik zur integrativen Anforderungsanalyse und Testspezifikation für die Entwicklung von Systemen im Automobilbereich

Thesis

Mar 2024

Carsten Wiecher

Systems in the automotive industry achieve complex functionalities through the interaction in dynamically interconnected system networks. The individual systems offer partial functions developed within extensive development networks, which are then integrated to create a functionality that can be experienced by the user. For the successful development and validation of these systems, requirement and test specifications play a vital role, as these specifications form the basis for development work across disciplines and organisa- tions. However, it is challenging to specify requirements and tests in a way that they can be easily edited and communicated, while also precisely defining the expected system properties. This thesis describes a comprehensive model-based approach. Starting from a central system model, early and automated analysis of requirements is supported, leading to complete and consistent requirement and test specifications derived from the system model. The appropriate combination of techniques from Model-Based Systems Engineering (MBSE), Natural Language Processing (NLP), and scenario-based modeling enables a formal yet intuitive and application-oriented specification of requirements and tests.

Visual Formalisms

Chapter

Dec 2018

Domain Modelling: A Foundation for Software Development

Chapter

Sep 2023

Dines Bjørner

Domain modelling, as per the approach of this paper, offers the possibility of describing software application domains in a precise and comprehensive manner – well before requirements capture can take place. We endow domain modelling with appropriate analysis and description calculi and a systematic method for constructing domain models. The present paper is a latest exposé of the domain science & engineering as published in earlier papers and a book. It reports on our most recent simplifications to the domain analysis & description approach.

Accessible Pattern Analyses in Kappa Models

Chapter

Aug 2023

Jérôme Feret

Computer Science Education Research in Israel

Chapter

Full-text available

Apr 2023

Computer science education has been researched in Israel for a few decades, both at the K-12 and the undergraduate levels. The rich variety of the investigated topics addressed from the very beginning issues beyond the introductory course and programming, including the nature of the discipline and its fundamental ideas and concepts, which are stable, unlike the more technological aspects. Understanding the nature of the discipline and mapping its fundamental ideas and concepts constitute the basis on which curricula stand. Therefore, we chose to organize this chapter around ideas and concepts of CS. In line with this perspective, we will discuss research of all age levels: K-12, undergraduate, and even the graduate level, as well as research relating to teachers. We will present design-based research, which accompanied the design of new curricula, as well as studies aiming at identifying phenomena, or investigating educational hypotheses. We will also point out current challenges and possible future directions.

Component‐based specification, design and verification of adaptive systems

Article

Full-text available

Apr 2023

Control systems are typically tightly embedded into their environment to enable adaptation to environmental effects. As the complexity of such adaptive systems is rapidly increasing, there is a strong need for coherent tool‐centric approaches to aid their systematic development. This paper proposes an end‐to‐end component‐based specification, design and verification approach for adaptive systems based on the integration of a high‐level scenario language (sequence chart variant) and an adaptation definition language (statechart extension) in the open source Gamma tool. The scenario language supports high‐level constructs for specifying contracts and the adaptation definition language supports the flexible activation and deactivation of static contracts and managed elements (state‐based components) based on internal changes (e.g., faults), environmental changes (e.g., varying context) or interactions. The approach supports linking managed elements to static contracts to formally verify their adherence to the specified behavior at design time using integrated model checkers. Implementation can be derived from the adaptation model automatically, which can be tested using automated test generation and verified at runtime by contract‐based monitors.

RoboCert: Property Specification in Robotics

Chapter

Oct 2022

Towards a Digital Highway Code using Formal Modelling and Verification of Timed Automata

Article

Full-text available

Sep 2022

Trustworthy Autonomous System Development

Article

Jun 2022

Autonomous systems emerge from the need to progressively replace human operators by autonomous agents in a wide variety of application areas. We offer an analysis of the state of art in developing autonomous systems, focusing on design and validation, and showing that the multi-faceted challenges involved go well beyond the limits of weak AI. We argue that traditional model-based techniques are defeated by the complexity of the problem, while solutions based on end-to-end machine learning fail to provide the necessary trustworthiness. We advocate a hybrid design approach, which combines the two, adopting the best of each, and seeks tradeoffs between trustworthiness and performance. We claim that traditional risk analysis and mitigation techniques fail to scale, and discuss the trend of moving away from correctness at design time and towards reliance on runtime assurance techniques. We argue that simulation and testing remain the only realistic approach for global validation, and show how current methods can be adapted to autonomous systems. We conclude by discussing the factors that will play a decisive role in the acceptance of autonomous systems, and by highlighting the urgent need for new theoretical foundations.

A Framework for Analyzing Context-Oriented Programming Languages

Article

Jan 2022

Parallel Simulation of Cyber-Physical-Systems

Chapter

Sep 2021

Model-based design (MBD) in systems engineering is a well-accepted technique to abstract, analyze, verify, and validate complex systems. In MBD, we design a mathematical model of the system to virtually execute and test systems via model simulations to understand the system dynamics better. Computing model simulations have their challenges: one is to ensure that the simulation trajectory preserves the model semantics. Besides, computing many simulation trajectories over a long time-horizon must be time-efficient for rapid response to system engineers. In this work, we address these challenges in simulating models of Cyber-Physical-Systems (CPS), particularly systems possessing mixed discrete-continuous dynamics. We focus on the subclass of CPS’s hybrid-automata models, where jump predicates are restricted to polygonal constraints and present a numerical simulation engine that can efficiently compute many random simulations in parallel by exploiting the parallel computing capability in modern multicore processors. Our simulation engine implements a lock-free parallel breadth-first-search (BFS) like algorithm and is implemented in the model-checking tool XSpeed. We demonstrate the performance gains of our simulation engine over SpaceEx and CORA, the modern model checkers and simulators for affine hybrid systems.

On Education and Training in Formal Methods for Industrial Critical Systems

Chapter

Aug 2021

Bernd Westphal

The 2020 expert survey on formal methods has put one topic into the focus of the formal methods for industrial critical systems community: education and training. Of three overall conclusions, the first one finds the survey to indicate “a consensus about the essential role of education”. At the same time, survey results and individual expert statements indicate largely open challenges. In this work, we analyse the 2020 expert survey results from an education and training perspective, and we discuss the proposal of an integrative approach with respect to these challenges. A central enabler for the integrated approach is the modern, inclusive interpretation of formal methods as put forth in the survey report and a differentiated understanding of roles (or stakeholders) in formal methods for industrial critical systems.

Modellbasiertes Testen kooperierender autonomer Systeme auf Basis farbiger Petri-Netze

Thesis

Jan 2021

Raimar Lill

In dieser Arbeit wird ein modellbasierter Testansatz für kooperierende autonome Systeme auf Basis farbiger Petri-Netze vorgestellt. Dazu werden zunächst verschiedene Modellierungssprachen zusammengetragen, die potenziell geeignet erscheinen, der hohen Komplexität derartiger Systeme gerecht zu werden. Anhand eines aufgestellten Kriterienkatalogs werden die Ansätze hinsichtlich ihrer Einsetzbarkeit bewertend verglichen. Aufbauend auf der Wahl farbiger Petri-Netze für die weitere Verfolgung des Ansatzes werden Überdeckungskriterien als objektiv messbare Testziele eingeführt und zueinander in Relation gesetzt. Die Generierung der Testfallmengen stellt dabei ein multi-objektives Optimierungsproblem dar. Während die strukturelle Überdeckung hinsichtlich eines ausgewählten Kriteriums zu maximieren ist, soll die Anzahl der Testfälle aus Gründen der Wirtschaftlichkeit möglichst niedrig gehalten werden. Zur Lösung dieses gegenläufigen Optimierungsproblems werden sowohl analytische als auch heuristische Verfahren vorgestellt. Der heuristische Ansatz wird dabei in Form von genetischen Algorithmen verfolgt. Die dafür notwendigen Operatoren werden in Bezug auf die gewählte Modellierungssprache der farbigen Petri-Netze detailliert beschrieben. Besondere Bedeutung kommt hierbei einer multiobjektiven Optimierung mittels Pareto-optimaler Lösungen zu, die es dem Anwender erlaubt, zwischen optimalen Lösungsalternativen auszuwählen. Die im Zuge der Arbeit entwickelten Ansätze und Werkzeuge werden schließlich an einer fiktiven Anwendung erprobt. Diese ist inspiriert durch das von der Europäischen Union und dem Bundesministerium für Bildung und Forschung (BMBF) geförderte Projekt „Resilient Reasoning Robotic Co-operating Systems“ (R3-COP). Zudem erfolgt eine Evaluierung der Güte der generierten Testfallmengen mittels eines modellbasierten Mutationstests.

Verification of Liveness and Safety Properties of Behavioral Programs Using BPjs

Conference Paper

Aug 2021

This paper presents semantics, syntax, and tools for specification and verification of safety and liveness properties of behavioral programs. Verification is performed directly on program code, by traversing its transition system. Liveness properties are defined using “hot states”, in which scenarios are allowed to stay for a finite time, but not forever. Safety properties are defined using assertions which allow labeling program states as having violations, and by analyzing program states for deadlocks detection. The paper defines liveness violations with regards to specific program components and describes an approach for validating the absence of such violations is a system. The proposed approach is supported by BPjs, an open-source tool suite developed by the authors.

A Survey on Automated Log Analysis for Reliability Engineering

Article

Jul 2021

Logs are semi-structured text generated by logging statements in software source code. In recent decades, software logs have become imperative in the reliability assurance mechanism of many software systems, because they are often the only data available that record software runtime information. As modern software is evolving into a large scale, the volume of logs has increased rapidly. To enable effective and efficient usage of modern software logs in reliability engineering, a number of studies have been conducted on automated log analysis. This survey presents a detailed overview of automated log analysis research, including how to automate and assist the writing of logging statements, how to compress logs, how to parse logs into structured event templates, and how to employ logs to detect anomalies, predict failures, and facilitate diagnosis. Additionally, we survey work that releases open-source toolkits and datasets. Based on the discussion of the recent advances, we present several promising future directions toward real-world and next-generation automated log analysis.

Eingebettete Systeme: Grundlagen Eingebetteter Systeme in Cyber-Physikalischen Systemen

Book

Full-text available

Jan 2021

Peter Marwedel

Ein Alleinstellungsmerkmal dieses Open-Access-Lehrbuchs ist die umfassende Einführung in das Grundlagenwissen über eingebettete Systeme mit Anwendungen in cyber-physischen Systemen und dem Internet der Dinge. Es beginnt mit einer Einführung in das Gebiet und eine Übersicht über Spezifikationsmodelle und -sprachen für eingebettete und cyber-physikalische Systeme. Es gibt einen kurzen Überblick über die für solche Systeme verwendeten Hardware-Geräte und stellt die Grundlagen der Systemsoftware für eingebettete Systeme vor, einschließlich Echtzeit-Betriebssystemen. Der Autor erörtert auch Evaluierungs- und Validierungstechniken für eingebettete Systeme und gibt einen Überblick über Techniken zur Abbildung von Anwendungen auf Ausführungsplattformen, inklusive Multi-Core-Plattformen. Eingebettete Systeme müssen unter engen Randbedingungen arbeiten, daher enthält das Buch auch einen ausgewählten Satz von Optimierungstechniken, mit einem Schwerpunkt bei Software-Optimierungstechniken. Das Buch schließt mit einer kurzen Übersicht über das Testen. Die vierte Auflage wurde aktualisiert und überarbeitet, um neue Trends und Technologien zu berücksichtigen, wie z. B. die Bedeutung von cyber-physischen Systemen (CPS) und dem Internet der Dinge (IoT), die Entwicklung von Single-Core-Prozessoren hin zu Multi-Core-Prozessoren und die zunehmende Bedeutung von Energieeffizienz und thermischen Fragen. Der Inhalt Einleitung - Spezifikation und Modellierung - Hardware eingebetteter Systeme - Systemsoftware - Bewertung und Validierung - Abbildung von Anwendungen (Scheduling) - Optimierung - Test Der Autor Prof. Dr. Peter Marwedel erhielt die Grade eines Dr. rer. nat. in Physik und eines Dr. habil. in Informatik von der Universität Kiel. Von 1989–2014 leitete er den Lehrstuhl für Technische Informatik und Eingebettete Systeme an der Fakultät für Informatik der TU Dortmund. Sein Forschungsinteresse gilt der effizienten Realisierung eingebetteter und cyber-physikalischer Systeme. Den Sonderforschungsbereich 876 zur ressourceneffizienten Analyse großer Datensätze hat er mitinitiiert und er war dessen erster stellvertretender Vorsitzender.

Systemsoftware

Chapter

Full-text available

May 2021

Peter Marwedel

Zusammenfassung Zur Bewältigung der Komplexität des Entwurfes von Anwendungen eingebetteter Systeme ist die Wiederverwendung von Komponenten ein wichtiges Hilfsmittel.

Iterative and Scenario-Based Requirements Specification in a System of Systems Context

Chapter

Apr 2021

[Context & Motivation] Due to the managerial, operational and evolutionary independence of constituent systems (CSs) in a System of Systems (SoS) context, top-down and linear requirements engineering (RE) approaches are insufficient. RE techniques for SoS must support iterating, changing, synchronizing, and communicating requirements across different abstraction and hierarchy levels as well as scopes of responsibility. [Question/Problem] We address the challenge of SoS requirements specification, where requirements can describe the SoS behavior, but also the behavior of CSs that are developed independently. [Principal Ideas] To support the requirements specification in an SoS environment, we propose a scenario-based and iterative specification technique. This allows requirements engineers to continuously model and jointly execute and test the system behavior for the SoS and the CS in order to detect contradictions in the requirement specifications at an early stage. [Contribution] In this paper, we describe an extension for the scenario-modeling language for Kotlin (SMLK) to continuously and formally model requirements on SoS and CS level. To support the iterative requirements specification and modeling we combine SMLK with agile development techniques. We demonstrate the applicability of our approach with the help of an example from the field of e-mobility.

Runtime verification of train control systems with parameterized modal live sequence charts

Article

Mar 2021
J SYST SOFTWARE

With the growing complexity of railway control systems, it is required to preform runtime safety checks of system executions that go beyond conventional runtime monitoring of pre-programmed safety conditions. Runtime verification is a lightweight and rigorous formal method that dynamically analyses execution traces against some formal specifications. A challenge in applying this method in railway systems is defining a suitable monitoring specification language, i.e., a language that is expressive, of reasonable complexity, and easy to understand. In this paper, we propose parameterized modal live sequence charts (PMLSCs) by introducing the alphabet of the specification into charts to distinguish between silent events and unexpected events. We further investigate the expressiveness and complexity theories of the language. In particular, we prove that PMLSCs are closed under negation and the complexity of a subclass of PMLSCs is linear, which allows the language to be used to monitor a system online. Finally, we use PMLSCs to monitor an RBC system in the Chinese high-speed railway and evaluate the performance. The experimental results show that the PMLSC has high monitoring efficiency, and can reduce false alarm rate by introducing alphabets of charts.

Selecting Features for the Next Release in a System of Systems Context

Conference Paper

Sep 2021

Smart Cities are developing in parallel with the global trend towards urbanization. The ultimate goal of Smart City projects is to deliver a positive impact for the citizens and the socio-economic and ecological environment. This involves the challenge to derive concrete requirements for (technical) projects from overarching concepts like Quality of Life (QoL) and Subjective Well-Being (SWB). Linking long-term, impact oriented goals with project outputs and outcomes is a complex problem. Decision making on requirements and resulting features of single Smart City projects (or systems) is even more com- plex since cities are not like monolithic, hierarchical and well- structured systems. Nevertheless, systems engineering provides concepts which support decision making in such situations. Complex socio-technical systems such as smart cities can be characterized as systems of systems (SoS). A SoS is composed of independently developed systems that nevertheless provide a higher-level integrated functionality. To add new functionality to a SoS, either existing systems must be extended or new systems must be developed and integrated. In both cases, the extension of functionality is usually done in small increments and structured via software releases. However, the decision which features to include in the next release is complex and difficult to manage when done manually. To address this, we make use of the multi- objective next release problem (MONRP) to search for an optimal set of features for a software release in a SoS context. In order to refine the search in an early planning phase, we propose a technique to model and validate the features using the scenario modeling language for Kotlin (SMLK). This is demonstrated with a proof-of-concept implementation.

Selecting Features for the Next Release in a System of Systems Context

Preprint

Feb 2021

Smart Cities are developing in parallel with the global trend towards urbanization. The ultimate goal of Smart City projects is to deliver a positive impact for the citizens and the socio-economic and ecological environment. This involves the challenge to derive concrete requirements for (technical) projects from overarching concepts like Quality of Life (QoL) and Subjective Well-Being (SWB). Linking long-term, impact oriented goals with project outputs and outcomes is a complex problem. Decision making on requirements and resulting features of single Smart City projects (or systems) is even more complex since cities are not like monolithic, hierarchical and well structured systems. Nevertheless, systems engineering provides concepts which support decision making in such situations. Complex socio-technical systems such as smart cities can be characterized as systems of systems (SoS). A SoS is composed of independently developed systems that nevertheless provide a higher-level integrated functionality. To add new functionality to a SoS, either existing systems must be extended or new systems must be developed and integrated. In both cases, the extension of functionality is usually done in small increments and structured via software releases. However, the decision which features to include in the next release is complex and difficult to manage when done manually. To address this, we make use of the multi-objective next release problem (MONRP) to search for an optimal set of features for a software release in a SoS context. In order to refine the search in an early planning phase, we propose a technique to model and validate the features using the scenario modeling language for Kotlin (SMLK). This is demonstrated with a proof-of-concept implementation.

Augmenting Deep Neural Networks with Scenario-Based Guard Rules

Chapter

Feb 2021

Guy Katz

Deep neural networks (DNNs) are becoming widespread, and can often outperform manually-created systems. However, these networks are typically opaque to humans, and may demonstrate undesirable behavior in corner cases that were not encountered previously. In order to mitigate this risk, one approach calls for augmenting DNNs with hand-crafted override rules. These override rules serve to prevent the DNN from making certain decisions, when certain criteria are met. Here, we build on this approach and propose to bring together DNNs and the well-studied scenario-based modeling paradigm, by encoding override rules as simple and intuitive scenarios. We demonstrate that the scenario-based paradigm can render override rules more comprehensible to humans, while keeping them sufficiently powerful and expressive to increase the overall safety of the model. We propose a method for applying scenario-based modeling to this new setting, and apply it to multiple DNN models. (This paper substantially extends the paper titled “Guarded Deep Learning using Scenario-Based Modeling”, published in Modelsward 2020 [47]. Most notably, it includes an additional case study, extends the approach to recurrent neural networks, and discusses various aspects of the proposed paradigm more thoroughly).

Specifications and Modeling

Chapter

Full-text available

Jan 2021

Peter Marwedel

How can we describe the system which we would like to design, and how can we represent intermediate design information? Models and description techniques for initial specifications as well as for intermediate design information will be shown in this chapter. First of all, we will capture requirements for modeling techniques. Next, we will provide an overview of models of computation. This will be followed by a presentation of popular models of computations, in combination with examples of the corresponding languages. The presentation includes models for early design phases, automata-based models, data flow, Petri nets, discrete event models, von Neumann languages, and abstraction levels for hardware modeling. Finally, we will compare different models of computation and present exercises.

On Complementing an Undergraduate Software Engineering Course with Formal Methods

Conference Paper

Nov 2020

Bernd Westphal

From MSCs to statecharts

Conference Paper

Full-text available

Jan 1998

We present a first step towards a seamless integration of MSCs into the system development process. In particular, we show how scenario-based system requirements, captured in the early system analysis phase using MSCs, are translated into state-based description techniques like Statecharts. To this end, we sketch a schematic integration of MSCs and Statecharts.

An Analyzer for Message Sequence Charts.

Article

Full-text available

Jan 1996
Software Concepts Tool

Message sequence charts (MSCs) are used in the design phase of a distributed system to record intended system behaviors. They serve as informal documentation of design requirements that are referred to throughout the design process and even in the final system integration and acceptance testing. We show that message sequence charts are open to a variety of semantic interpretations. The meaning of an MSC can depend on, for instance, whether one allows or denies the possibility of message loss or message overtaking, and on the particulars of the message queuing policy to be adopted. We describe an analysis tool that can perform automatic checks on message sequence charts and can alert the user to the existence of subtle design errors, for any predefined or user-specified semantic interpretation of the chart. The tool can also be used to specify time constraints on message delays, and can then return useful additional timing information, such as the minimum and the maximum possible delays between pairs of events.

Interpreting Message Flow Graphs

Article

Full-text available

Sep 1995

We give a semantics for Message Flow Graphs (MFGs), which play the role for interprocess communication that Program Dependence Graphs play for control flow in parallel processes. MFGs have been used to analyse parallel code, and are closely related to Message Sequence Charts and Time Sequence Diagrams in telecommunications systems. Our requirements are firstly, to determine unambiguously exactly what execution traces are specified by an MFG, and secondly, to use a finite-state interpretation. Our methods function for both asynchronous and synchronous communications. From a set of MFGs, we define a transition system of global states, and from that a Buchi automaton by considering safety and liveness properties of the system. In order easily to describe liveness properties, we interpret the traces of the transition system as a model of Manna-Pnueli temporal logic. Finally, we describe the expressive power of MFGs by mimicking an arbitrary Buchi automaton by means of a set of MFGs. 1. In...

Synthesizing ROOM Models from Message Sequence Chart Specifications

Article

Full-text available

Message Sequence Chart (MSC) specifications have found their way into many software engineering methodologies and CASE tools, in particular in the area of telecommunications and concurrent real-time systems. MSC specifications often represent early life-cycle requirements and high-level design specifications. We are considering terating and branching MSC specifications according to ITU-T Recommendation Z.120. We show how these specifications can be analyzed with respect to their software architectural content, induding structure and bchavior. We present algorithms for the automated synthesis of Real-Time Object-Oriented Modeling (ROOM) models from MSC specifications and discuss their implementation in the MESA toolset. The automation of the synthesis contributes to making the transition from high-level, message exchange-oriented views to the level of a full life-cycle architecture description more efficient and reliable. This means that we are contributing to making Z.120 MSC specifications more useful in the software engineering process.

Synthesizing software architecture descriptions from Message Sequence Chart specifications

Conference Paper

Full-text available

Nov 1998

Message Sequence Chart (MSC) specifications have found their way into many software engineering methodologies and CASE tools, in particular to represent early life-cycle requirements and high-level design specifications. We analyze iterating and branching MSC specifications with respect to their software architectural content. We present algorithms for the automated synthesis of Real-Time Object-Oriented Modeling (ROOM) models from MSC specifications and discuss their implementation in the MESA toolset

STATEMATE: A working environment for the development of complex reactive systems

Article

Full-text available

May 1990

STATEMATE is a set of tools, with a heavy graphical orientation, intended for the specification, analysis, design, and documentation of large and complex reactive systems. It enables a user to prepare, analyze, and debug diagrammatic, yet precise, descriptions of the system under development from three interrelated points of view, capturing structure, functionality, and behavior. These views are represented by three graphical languages, the most intricate of which is the language of statecharts, used to depict reactive behavior over time. In addition to the use of statecharts, the main novelty of STATEMATE is in the fact that it understands the entire descriptions perfectly, to the point of being able to analyze them for crucial dynamic properties, to carry out rigorous executions and simulations of the described system, and to create running code automatically. These features are invaluable when it comes to the quality and reliability of the final outcome

Tools and Algorithms for the Construction and Analysis of Systems

Article

Full-text available

Oct 1997

In this paper we show how to construct optimal bitvector analysis algorithms for parallel programs with shared memory that are as efficient as their purely sequential counterparts, and which can easily be implemented. Whereas the complexity result is rather obvious, our optimality result is a consequence of a new Kam/Ullman-style Coincidence Theorem. Thus using our method, the standard algorithms for sequential programs computing liveness, availability, very business, reaching definitions, definition-use chains, or performing partially redundant expression and assignment elimination, partial dead code elimination or strength reduction, can straightforward be transferred to the parallel setting at almost no cost. Keywords: Parallelism, interleaving semantics, synchronization, program optimization, data flow analysis, bitvector problems, definition-use chains, partially redundant expression elimination, partial dead code elimination. 1 Motivation Parallel implementations are of growing...

Synthesizing State-Based Object Systems from LSC Specifications

Conference Paper

Full-text available

May 2002

Live sequence charts (LSCs) have been defined recently as an extension of message sequence charts (MSCs; or their UML variant, sequence diagrams) for rich inter-object specification. One of the main additions is the notion of universal charts and hot, mandatory behavior, which, among other things, enables one to specify forbidden scenarios. LSCs are thus essentially as expressive as statecharts. This paper deals with synthesis, which is the problem of deciding, given an LSC specification, if there exists a satisfying object system and, if so, to synthesize one automatically. The synthesis problem is crucial in the development of complex systems, since sequence diagrams serve as the manifestation of use cases – whether used formally or informally – and if synthesizable they could lead directly to implementation. Synthesis is considerably harder for LSCs than for MSCs, and we tackle it by defining consistency, showing that an entire LSC specification is consistent iff it is satisfiable by a state-based object system, and then synthesizing a satisfying system as a collection of finite state machines or statecharts.

Specification and verification of system-level hardware designs using timing diagrams

Article

Jan 1993

Executable object modeling with statecharts

Article

Jan 1996

From play-in scenarios to code: An achievable dream:(Preliminary version, January 2000)

Article

Jan 2000

D. Harel

We discuss the possibility of a complete system development scheme, supported by semantically rigorous automated tools, within which one can go from an extremely high-level, user-friendly requirement capture method, which we call play-in scenarios, to a final implementation. A cyclic process consisting of verification against requirements and synthesis from requirements plays an important part in the scheme, which is not quite as imaginary as it may sound.

Statecharts: A Visual Formalism For Complex Systems

Article

Jun 1987
SCI COMPUT PROGRAM

David Harel

We present a broad extension of the conventional formalism of state machines and state diagrams, that is relevant to the specification and design of complex discrete-event systems, such as multi-computer real-time systems, communication protocols and digital control units. Our diagrams, which we call statecharts, extend conventional state-transition diagrams with essentially three olements, dealing, respectively, with the notions of hierarchy, concurrency and communication. These transform the language of state diagrams into a highly structured' and economical description language. Statecharts are thus compact and expressive--small diagrams can express complex behavior--as well as compositional and modular. When coupled with the capabilities of computerized graphics, statecharts enable viewing the description at different levels of detail, and make even very large specifications manageable and comprehensible. In fact, we intend to demonstrate here that statecharts counter many of the objections raised against conventional state diagrams, and thus appear to render specification by diagrams an attractive and plausible approach. Statecharts can be used either as a stand-alone behavioral description or as part of a more general design methodology that deals also with the system's other aspects, such as functional decomposition and data-flow specification. We also discuss some practical experience that was gained over the last three years in applying the statechart formalism to the specification of a particularly complex system.

The Unified Modeling Language for Object-Oriented Development

Article

Jan 1996

Einsatz formaler Methoden zur Erh?ohung der Sicherheit eingebetteter Systeme im Kfz

Article

Modeling Reactive Systems with Statecharts: The Statemate Approach

Article

Jan 1998

Synthesizing object systems from LSC speciflcations

Article

Specification and verification of VHDL-based system-level hardware designs

Article

Sep 1995

This chapter provides the semantic foundation of a formal verification environment for VHDL. The envisaged tool supports specification of system-level hardware designs using an extension of the classical concepts of timing diagrams allowing us to express first-order properties and causality relations between events. A formal semantics of such symbolic timing diagrams is given in terms of a linear time first-order temporal logic. System-level designs expressed in VHDL – an IEEE standard hardware description language – can be verified against temporal logic specifications using a compositional proof system presented in this chapter. This proof-system is proved correct with respect to a formal semantics for VHDL in the style of structural operational semantics based on transition systems. For the special case of VHDL designs using finite data types only, the semantics provides a link to model-checking tools allowing automatic verification of VHDL designs against a temporal logic specification. Such a verification environment is currently under development within the ESPRIT project FORMAT.

Doing Hard Time: Devloping Real-Time Systems with UML, Objects, Frameworks, and Patterns

Book

Jan 1999

Bruce Powel Douglass

Towards a Petri net Based Semantics Definition for Message Sequence Charts

Conference Paper

Jan 1993

Symbolic Model Checking: 1020 States and Beyond

Article

Jan 1989

Many different methods have been devised for automatically verifying finite state systems by examining state-graph models of system behavior. These methods all depend on decision procedures that explicitly represent the state space using a list or a table that grows in proportion to the number of states. We describe a general method that represents the state space symbolically instead of explicitly. The generality of our method comes from using a dialect of the Mu-Calculus as the primary specification language. We describe a model checking algorithm for Mu-Calculus formulas that uses Bryant's Binary Decision Diagrans (Bryant, R. E., 1986, IEEE Trans. Comput.C-35) to represent relations and formulas. We then show how our new Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL model checking, satisfiability of linear-time temporal logic formulas, strong and weak observational equivalence of finite transition systems, and language containment for finite ω-automata. The fixed point computations for each decision procedure are sometimes complex, but can be concisely expressed in the Mu-Calculus. We illustrate the practicality of our approach to symbolic model checking by discussing how it can be used to verify a simple synchronous pipeline circuit.

Symbolic Model Checking: 10^20 States and Beyond

Conference Paper

Jan 1990

Many different methods have been devised for automatically verifying finite state systems by examining state-graph models of system behavior. These methods all depend on decision procedures that explicitly represent the state space using a list or a table that grows in proportion to the number of states. We describe a general method that represents the state space symbolically instead of explicitly. The generality of our method comes from using a dialect of the Mu-Calculus as the primary specification language. We describe a model checking algorithm for Mu-Calculus formulas that uses Bryant's Binary Decision Diagrams (1986) to represent relations and formulas. We then show how our new Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL model checking, satisfiability of linear-time temporal logic formulas, strong and weak observational equivalence of finite transition systems, and language containment for finite !-automata.

Object-Oriented Software Engineering—A Use Case Drive Approach

Conference Paper

Jan 1993

Ivar Jacobson

An Analyser for Mesage Sequence Charts.

Conference Paper

Jan 1996

Tamagotchis Need Not Die - Verification of STATEMATE Designs

Conference Paper

May 1998

This paper presents a toolset we built for supporting verification of Statemate designs. Statemate is a widely used design tool for embedded control applications. Designs are translated into finite state machines which are optimized and then verified by symbolic model checking. To express requirement specifications the visual formalism of symbolic timing diagrams is used. Their semantics is given by translation into temporal logic. If the model checker generates a counterexample, it is retranslated into either a symbolic timing diagram or a stimulus for the Statemate simulator.

Using a Visual Formalism for Design Verification in Industrial Environments.

Conference Paper

Jan 1998
Lect Notes Comput Sci

This paper reports experiences and results gained during the evaluation of the visual formalism STD as specification method for formal verification, performed in cooperation with industrial partners. The visual formalism STD (Symbolic Timing Diagrams) was developed continuously since 1993 by OFFIS as a specification method, which satisfies several needs: (1) It is based on the principles used in the familiar notation of timing diagrams (as conventionally used by hardware designers). (2) It is a method amenable to formal verification, using stateof-the art verification tools efficiently (in particular, symbolic modelchecking). (3) It supports compositional verification, which is an approach to verify large designs in a compositional way (breaking up proofs of requirements stated for a full design into a sequence of smaller proof tasks, which imply the global proof task). The formalism (with the supporting tools) has been integrated into an established verification environment (CheckOff-M), which allows to verify industrial-scale designs by model-checking.

Timing Constraints in Message Sequence Chart Specifications

Conference Paper

Jan 1997

When dealing with timing constraints, the Z.120 standard of Message Sequcnce Charts (MSCs) is still evolving along with several proposals. This paper first reviews proposed extensions of MSCs to dcscribe timing constraints. Secondly, the paper describes an analysis technique for timing consistency in iterating and branching MSC specifications. Thc analysis extends efficient current techniques for timing analysis of MSCs with no loops nor branchings. Finally, the paper extends our syntactic analysis of process divergence to MSCs with timing constraints.

Object-Oriented Software Engineering – A Use-Case Driven Approach

Book

Jan 1992

Automatic Synthesis of State Machines from Trace Diagrams.

Article

Jul 1994
SOFTWARE PRACT EXPER

this paper is part of a project aiming at advanced support for dynamic modelling in OO software development. We will use the OMT method developed by Rumbaugh et al. as a guideline, but it should be emphasized that the results can be exploited in other methods as well. OMT consists of three modelling techniques: object modelling for describing the static relations and properties of objects, dynamic modelling for describing the behaviour of objects and functional modelling for describing the input--output relations of operations. Of these models, OMT emphasizes the role of the object model---this part is relevant for all applications. Dynamic modelling is needed for specifying the external behaviour of active CCC 0038--0644/94/070643--16 Received 1 November 1993 1994 by John Wiley & Sons, Ltd. Revised 14 March 1994 software such as embedded real-time systems or interactive user interfaces. Since most modern systems have components falling into these categories, dynamic modelling is essential in many cases. Functional modelling is used mainly in computation-oriented applications, such as spreadsheet programs, compilers, CAD systems, etc

Symbolic Model Checking: 10^20 States and Beyond

Article

Jun 1992

Many different methods have been devised for automatically verifying finite state systems by examining state-graph models of system behavior. These methods all depend on decision procedures that explicitly represent the state space using a list or a table that grows in proportion to the number of states. We describe a general method that represents the state space symbolically instead of explicitly. The generality of our method comes from using a dialect of the Mu-Calculus as the primary specification language. We describe a model checking algorithm for Mu-Calculus formulas that uses Bryant's Binary Decision Diagrams (1986) to represent relations and formulas. We then show how our new Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL model checking, satisfiability of linear-time temporal logic formulas, strong and weak observational equivalence of finite transition systems, and language containment for finite !-automata. The fixed point co...

Symbolic timing diagrams [Elektronische Ressource] : a visual formalism for model verification /

Article

Rainer Schlör

Oldenburg, University, Diss., 2001. Computerdatei im Fernzugriff.

Expressing and Analyzing Timing Constraints in Message Sequence Chart Specifications

Article

Aug 1997

Message Sequence Charts (MSCs) are increasingly supported in software engineering tools and methodologies for communication systems. The last Z.120 standard extends MCs with operators to organize them in a compositional, hierarchical fashion to describe systems with non-trivial sizes. When dealing with timing constraints, the standard is still evolving along with several proposals. This paper first reviews proposed extensions of MSCs to describe timing constraints. Secondly, the paper describes an analysis technique for timing consistency in iterating and branching MSC specifications. The analysis extends efficient current techniques for timing analysis of MSCs with no loops or branchings. Finally, we use an example to illustrate our analysis technique.

Specification and verification of system-level hardware designs using time diagrams

Conference Paper

Mar 1993

An approach to the specification and verification of system-level hardware designs is presented. It is based on Timing Diagrams, a graphical specification language with an intuitive semantics, which is especially appropriate for the description of asynchronous distributed systems such as hardware designs. Timing Diagrams and their semantics are formally defined based on a translation to temporal logic. It is shown that for the resulting type of formulas there is an efficient model checking procedure, thus allowing fully automatic verification of hardware designs

An OBDD-representation of statecharts

Conference Paper

Jan 1994

We present an effective method to translate a statechart into an ordered binary decision diagram (OBDD) representation of its transition system. By that it becomes possible to verify a system specified by a statechart by symbolic model checking, one of the most advanced automatic verification techniques. The method exploits the hierarchy in the relevance of information as is implied by the state structure and admits some redundancy to keep the “decoding effort” of each OBDD small. The method is implemented in the ESPRIT project FORMAT, where OBDD based transition systems serve as a common ground to verify specifications in VHDL or (a variant of) statecharts against temporal logic, symbolic timing diagrams, and each other

Sequential Circuit Verification Using Symbolic Model Checking

Conference Paper

Jul 1990

The temporal logic model algorithm of E.M. Clarke et al. (ACM Trans. Prog. Lang. Syst., vol.8, no.2, p.244-63, 1986) is modified to represent a state graph using binary decision diagrams (BDDs). Because this representation captures some of the regularity in the state space of sequential circuits with data path logic, one is able to verify circuits with an extremely large number of states. This new technique is demonstrated on a synchronous pipelined design with approximately 5×10<sup>20</sup> states. The logic that is used to specify circuits is a propositional temporal logic of branching time, called CTL or Computation Tree Logic. The model checking algorithm handles full CTL with fairness constraints. Consequently. it is possible to handle a number of important liveness and fairness properties. which would otherwise not be expressible in CTL. The method presented is not necessarily a replacement for brute-force state-enumeration methods but an alternative that may work efficiently when the brute force methods fail

Automated support for modeling OO software

Article

Feb 1998

We explore how automated tools might support the dynamic modeling phase of object oriented software development. We use the Object Modeling Technique as a guideline and notational basis, but in principle our approach is not tied to any particular OO methodology. We assume, however, that dynamic modeling exploits scenarios (as in OMT) describing examples of using the system being developed. Our techniques can easily be adopted for various scenario representations, such as sequence diagrams or collaboration diagrams in UML

Executable Object Modeling with Statecharts

Article

Aug 1997

Statecharts, popular for modeling system behavior in the structural analysis paradigm, are part of a fully executable language set for modeling object-oriented systems. The languages form the core of the emerging Unified Modeling Language. The authors embarked on an effort to develop an integrated set of diagrammatic languages for object modeling, built around statecharts, and to construct a supporting tool that produces a fully executable model and allows automatic code synthesis. The language set includes two constructive modeling languages (languages containing the information needed to execute the model or translate it into executable code)

Real-Time Verification of Statemate Designs

Article

Jan 2003
Lect Notes Comput Sci

This paper presents an approach towards real-time verification of Statemate designs. Statemate is a widely used design tool for embedded control units. These embedded control units are usually contained in industrial products and often implement concurrent systems. In our approach designs including all timing information are translated into untimed Kripke Structures which are optimized and then verified by symbolic model-checking. Real-time requirements are expressed by TCTL formulae interpreted over discrete time. A reduction from TCTL model-checking to CTL model-checking is presented in order to use a CTL model-checker for the verification task. Some experimental results with the underlying toolset are given.

Verifying Out-of-Order Executions

Article

Feb 1998

The paper presents an approach to the specification and verification of out-of-order execution in the design of micro-processors. Ultimately, the appropriate statement of correctness is that the out-of-order execution produces the same final state (and all relevant intermediate actions, such as writes to memory) as a purely sequential machine running the same program. 1 Introduction Modern processor architectures such as the PowerPC or the DEC Alpha employ aggressive implementation techniques to sustain peak-throughput of instructions. Multiple functional units inside the data-path allow for concurrent execution of multiple instructions and allow to hide latencies stemming from data-dependencies as well as varying pipeline delays. The design of controllers maintaining consistency to sequential program execution on the face of a mixture of out-of-order execution of instructions, speculative execution of instructions, interrupts, and load/store buffers is both challenging and error-pron...

A Graphical Description Technique for Communication in Software Architectures

Article

Oct 1997

A crucial aspect of the architecture of a software system is its decomposition into components and the specification of component interactions. In this paper we use an enhanced variant of Extended Event Traces [SHB96] as a graphical technique for the description of such component interactions. It allows us to define interaction patterns that occur frequently within an architecture, in the form of diagrams. The diagrams may be instantiated in various contexts, thus allowing reuse of interaction patterns. We present several examples to show the applicability of our notation. In addition, we provide a formal semantics for our graphical notation, based on sets of traces. Furthermore, we compare our approach to connector specifications in WRIGHT [AG94], another description language for component interaction in software architectures. * This work was sponsored by the Bundesministerium fr Bildung, Wissenschaft, Forschung und Technologie (BMBF) under the project `ENTSTAND' and by th...

Using a Visual Formalism for Design Verification in Industrial Environments

Article

Jul 1999

. This paper reports experiences and results gained during the evaluation of the visual formalism STD as specification method for formal verification, performed in cooperation with industrial partners. The visual formalism STD (Symbolic Timing Diagrams) was developed continuously since 1993 by OFFIS as a specification method, which satisfies several needs: (1) It is based on the principles used in the familiar notation of timing diagrams (as conventionally used by hardware designers) . (2) It is a method amenable to formal verification, using state-- of--the art verification tools efficiently (in particular, symbolic model-- checking). (3) It supports compositional verification, which is an approach to verify large designs in a compositional way (breaking up proofs of requirements stated for a full design into a sequence of smaller proof tasks, which imply the global proof task). The formalism (with the supporting tools) has been integrated into an established verification...

Message Sequence Chart (MSC)-Annex B: Algebraic Semantics of Message Sequence Charts

Jan 1995

Z Itu-Ts Recommendation

ITU-TS Recommendation Z.120: Message Sequence Chart (MSC)-Annex B: Algebraic Semantics of Message Sequence Charts, ITU-TS, Geneva, 1995.

A visual formalism for real time requirement speci cations

Jan 1997
Lect Notes Comput Sci

K Feyerabend
B Josko

K. Feyerabend and B. Josko. A visual formalism for real time requirement speci cations. In M. Bertran and T. Rus (eds.), Transformation-Based Reactive Systems Development, Proc. 4 th International AMAST Workshop on Real-Time Systems and Concurrent and Distributed Software, ARTS'97, Lecture Notes in Computer Science 1231, pp. 156{168, Springer-Verlag, 1997.

Jan 1996

Itu-Ts Recommendation

ITU-TS Recommendation Z.120: Message Sequence Chart (MSC), ITU-TS, Geneva, 1996.

A Graphical Description Technique for Communication in Software Architectures

Jan 1997

M Broy
C Hofmann
I Oger
M Schmidt

M. Broy, C. Hofmann, I. Kr oger and M. Schmidt. A Graphical Description Technique for Communication in Software Architectures. In Joint 1997 Asia Paci c Software Engineering Conference and International Computer Science Conference (APSEC'97/ICSC'97), 1997.

The projection of a trace 2 traces(A(m)) on V ( jV ) is obtained from by simply restricting all states n to V

V Let
Var

Let V var(A(m)). The projection of a trace 2 traces(A(m)) on V ( jV ) is obtained from by simply restricting all states n to V.

LSCs: Breathing Life into Message Sequence Charts

Abstract

No full-text available

Recommended publications

LSC'S: BREATHING LIFE INTO MESSAGE SEQUENCE CHARTS Werner Damm