Contract-based modeling and verification of timed safety requirements within SysML

In order to cope with the growing complexity of critical real-time embedded systems, systems engineering has adopted a component-based design technique driven by requirements. Yet, such an approach raises several issues since it does not explicitly prescribe how system requirements can be decomposed on components nor how components contribute to the satisfaction of requirements. The envisioned solution is to design, with respect to each requirement and for each involved component, an abstract specification, tractable at each design step, that models how the component is concerned by the satisfaction of the requirement and that can be further refined toward a correct implementation. In this paper, we consider such specifications in the form of contracts. A contract for a component consists in a pair (assumption, guarantee) where the assumption models an abstract behavior of the component’s environment and the guarantee models an abstract behavior of the component given that the environment behaves according to the assumption. Therefore, contracts are a valuable asset for the correct design of systems, but also for mapping and tracing requirements to components, for tracing the evolution of requirements during design and, most importantly, for compositional verification of requirements. The aim of this paper is to introduce contract-based reasoning for the design of critical real-time systems made of reactive components modeled with UML and/or SysML. We propose an extension of UML and SysML languages with a syntax and semantics for contracts and the refinement relations that they must satisfy. The semantics of components and contracts is formalized by a variant of timed input/output automata on top of which we build a formal contract-based theory. We prove that the contract-based theory is sound and can be applied for a relatively large class of SysML system models. Finally, we show on a case study extracted from the automated transfer vehicle (http://www.esa.int/ATV) that our contract-based theory allows to verify requirement satisfaction for previously intractable models.

[1]  Joost-Pieter Katoen,et al.  A probabilistic extension of UML statecharts: Specification and Verification. , 2002 .

[2]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[3]  Tammy Noergaard,et al.  Embedded Software , 2009, Encyclopedia of Biometrics.

[4]  Sanjai Rayadurgam,et al.  Compositional verification of a medical device system , 2013 .

[5]  Martín Abadi,et al.  A Logical View of Composition , 1993, Theor. Comput. Sci..

[6]  Hardi Hungar,et al.  Using contract-based component specifications for virtual integration testing and architecture design , 2011, 2011 Design, Automation & Test in Europe.

[7]  Iulian Ober,et al.  Validating timed UML models by simulation and verification , 2006, International Journal on Software Tools for Technology Transfer.

[8]  Alessandro Cimatti,et al.  Contracts-refinement proof system for component-based embedded systems , 2015, Sci. Comput. Program..

[9]  Joseph Sifakis,et al.  The IF Toolset , 2004, SFM.

[10]  Sophie Quinton,et al.  Design, vérification et implémentation de systèmes à composants , 2011 .

[11]  Nancy A. Lynch,et al.  The Theory of Timed I/o Automata , 2003 .

[12]  Iulian Ober,et al.  OMEGA2: A New Version of the Profile and the Tools , 2010, 2010 15th IEEE International Conference on Engineering of Complex Computer Systems.

[13]  E. Allen Emerson,et al.  Computer Aided Verification , 2000, Lecture Notes in Computer Science.

[14]  Howard Barringer,et al.  Assumption generation for software component verification , 2002, Proceedings 17th IEEE International Conference on Automated Software Engineering,.

[15]  Sophie Quinton,et al.  Contracts for BIP: Hierarchical Interaction Models for Compositional Verification , 2007, FORTE.

[16]  Axel Legay,et al.  Contracts and Behavioral Patterns for SoS: The EU IP DANSE approach , 2013, AiSoS.

[17]  Kim G. Larsen,et al.  Compositional verification of real-time systems using Ecdar , 2012, International Journal on Software Tools for Technology Transfer.

[18]  Kim G. Larsen,et al.  Methodologies for Specification of Real-Time Systems Using Timed I/O Automata , 2009, FMCO.

[19]  Edmund M. Clarke,et al.  Compositional model checking , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[20]  Thomas A. Henzinger,et al.  Timed Interfaces , 2002, EMSOFT.

[21]  Angelika Mueller Formal Modeling And Analysis Of Timed Systems , 2016 .

[22]  Marta Z. Kwiatkowska,et al.  Revisiting Timed Specification Theories: A Linear-Time Perspective , 2012, FORMATS.

[23]  Christian Becker,et al.  A UML Meta-model for Contract Aware Components , 2001, UML.

[24]  Iulian Ober,et al.  A Case Study in Formal System Engineering with SysML , 2012, 2012 IEEE 17th International Conference on Engineering of Complex Computer Systems.

[25]  Sophie Quinton,et al.  Contract-Based Verification of Hierarchical Systems of Components , 2008, 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods.

[26]  Kim G. Larsen,et al.  Interface Input/Output Automata , 2006, FM.

[27]  Barbara König,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2012, Lecture Notes in Computer Science.

[28]  Jun Sun,et al.  Are Timed Automata Bad for a Specification Language? Language Inclusion Checking for Timed Automata , 2014, TACAS.

[29]  Kim G. Larsen,et al.  Timed I/O automata: a complete specification theory for real-time systems , 2010, HSCC '10.

[30]  David Lorge Parnas,et al.  Active design reviews: principles and practices , 1985, ICSE '85.

[31]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[32]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[33]  Joël Ouaknine,et al.  On the language inclusion problem for timed automata: closing a decidability gap , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[34]  Kim G. Larsen,et al.  Moving from Specifications to Contracts in Component-Based Design , 2012, FASE.

[35]  Anders P. Ravn,et al.  Formal Techniques in Real-Time and Fault-Tolerant Systems , 1994, Lecture Notes in Computer Science.

[36]  J. Christian Attiogbé,et al.  Multilevel Contracts for Trusted Components , 2010, WCSI.

[37]  Joseph Sifakis,et al.  An Algebraic Framework for Urgency , 2000, Inf. Comput..

[38]  Michael W. Whalen,et al.  Hierarchical Circular Compositional Reasoning , 2012 .

[39]  Jirí Srba,et al.  Comparing the Expressiveness of Timed Automata and Timed Extensions of Petri Nets , 2008, FORMATS.

[40]  Shing-Chi Cheung,et al.  Checking safety properties using compositional reachability analysis , 1999, TSEM.

[41]  Alessandro Cimatti,et al.  A Property-Based Proof System for Contract-Based Design , 2012, 2012 38th Euromicro Conference on Software Engineering and Advanced Applications.

[42]  Doron A. Peled,et al.  Software Reliability Methods , 2001, Texts in Computer Science.

[43]  Iulian Ober,et al.  Unambiguous UML Composite Structures: The OMEGA2 Experience , 2011, SOFSEM.

[44]  P. S. Thiagarajan,et al.  Proceedings of the 5th international conference on Formal modeling and analysis of timed systems , 2007 .

[45]  Kevin Lano,et al.  Slicing of UML models using model transformations , 2010, MODELS'10.

[46]  Kazunori Ueda,et al.  Advances in Computing Science — ASIAN'97 , 1997, Lecture Notes in Computer Science.

[47]  Corina S. Pasareanu,et al.  Automated Assume-Guarantee Reasoning by Abstraction Refinement , 2008, CAV.

[48]  Iulian Ober,et al.  Formal Model Driven Engineering for Space Onboard Software , 2011 .

[49]  Bengt Jonsson,et al.  A Compositional Specification Theory for Component Behaviours , 2012, ESOP.

[50]  Kim G. Larsen,et al.  New Results on Timed Specifications , 2010, WADT.

[51]  Farn Wang Symbolic Simulation-Checking of Dense-Time Automata , 2007, FORMATS.

[52]  Stephan Merz,et al.  Model Checking - Timed UML State Machines and Collaborations , 2002, FTRTFT.

[53]  Iulian Ober,et al.  Integrating verifiable Assume/Guarantee contracts in UML/SysML , 2013, ACESMB@MoDELS.

[54]  Iulian Ober,et al.  UML/SysML semantic tunings , 2011, Innovations in Systems and Software Engineering.

[55]  Alessandro Cimatti,et al.  OCRA: A tool for checking the refinement of temporal contracts , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[56]  Pascal André,et al.  Vérification de contrats logiciels à l'aide de transformations de modèles Application à Kmelia , 2011 .

[57]  Sanjai Rayadurgam,et al.  Your "What" Is My "How": Iteration and Hierarchy in System Design , 2013, IEEE Software.

[58]  Benoît Combemale,et al.  A Generic Tool for Tracing Executions Back to a DSML's Operational Semantics , 2011, ECMFA.

[59]  Jonathan P. Bowen,et al.  Formal Methods , 2010, Computing Handbook, 3rd ed..

[60]  Joseph Sifakis,et al.  Modeling Heterogeneous Real-time Components in BIP , 2006, Fourth IEEE International Conference on Software Engineering and Formal Methods (SEFM'06).

[61]  Iulian Ober,et al.  Seeing errors: model driven simulation trace visualization , 2012, MODELS'12.

[62]  Paul Pettersson,et al.  ABV - A Verifier for the Architecture Analysis and Design Language (AADL) , 2011, 2011 16th IEEE International Conference on Engineering of Complex Computer Systems.

[63]  H. Wang,et al.  Minneapolis, MN 55455 , 1985 .

[64]  Kim Guldstrand Larsen,et al.  Formal Methods for the Design of Real-Time Systems , 2004, Lecture Notes in Computer Science.

[65]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.

[66]  Axel Legay,et al.  Component Interfaces with Contracts on Ports , 2012, FACS.

[67]  Roberto Passerone,et al.  A contract-based formalism for the specification of heterogeneous systems , 2008, 2008 Forum on Specification, Verification and Design Languages.

[68]  Bengt Jonsson,et al.  Assume-Guarantee Reasoning for Safe Component Behaviours , 2012, FACS.

[69]  Jean-Marc Jézéquel,et al.  Making Components Contract Aware , 1999, Computer.

[70]  Sophie Quinton,et al.  Reasoning about Safety and Progress Using Contracts , 2010, ICFEM.

[71]  Iulian Ober,et al.  Safety Contracts for Timed Reactive Components in SysML , 2014, SOFSEM.

[72]  Yassine Lakhnech,et al.  Hierarchical Automata as Model for Statecharts , 1997, ASIAN.

[73]  Emilio Insfran,et al.  Model-Driven Engineering Languages and Systems , 2014, Lecture Notes in Computer Science.

[74]  Thomas A. Henzinger,et al.  Interface automata , 2001, ESEC/FSE-9.

[75]  John Fitzgerald,et al.  Contract-Based Interface Specification Language for Functional and Non-Functional Properties , 2011 .

[76]  Tobias Nipkow,et al.  FM 2006: Formal Methods, 14th International Symposium on Formal Methods, Hamilton, Canada, August 21-27, 2006, Proceedings , 2006, FM.

[77]  Joseph Sifakis,et al.  Tools and Applications II: The IF Toolset , 2004 .

[78]  Thomas A. Henzinger,et al.  Interface Theories for Component-Based Design , 2001, EMSOFT.

[79]  Kim G. Larsen,et al.  ECDAR: An Environment for Compositional Design and Analysis of Real Time Systems , 2010, ATVA.