Andy Galloway

Integrating safety and formal analyses using UML and PFS

Where software systems are safety critical, for example in aircraft engine control, it is necessary to carry out safety analysis on designs in support of certification. We argue that there is also significant value in formally validating such a design. Few “classical” formal notations and methods are geared towards embedded systems. We illustrate one such method known as Practical Formal Specification (PFS), showing how it can be integrated in a UML context with various forms of safety analysis. The PFS method was developed to extend classical approaches in the development of embedded software systems in a way that adds engineering value, and fits into existing well-established frameworks. We exemplify the approach to model the reverse thrust selection function of the thrust reversal system of a turbo-jet engine.

Model-Checking the Linux Virtual File System

This paper presents a case study in modelling and verifying the Linux Virtual File System (VFS). Our work is set in the context of Hoares verification grand challenge and, in particular, Joshi and Holzmanns mini-challenge to build a verifiable file system. The aim of the study is to assess the viability of retrospective verification of a VFS implementation using model-checking technology. We show how to extract an executable model of the Linux VFS implementation, validate the model by employing the simulation capabilities of SPIN, and analyse it for adherence to data integrity constraints and deadlock freedom using the SMART model checker.

Experiences with the Application of Discrete Formal Methods to the Development of Engine Control Software

Abstract In this paper we outline an approach to the application of Formal Methods to the development of aircraft engine control software. We outline the difficulties in applying traditional formalisms to control software and propose an approach in which the discrete requirements are specified as aggregations of state-based and reactive requirements; the particular value of (formally) aggregating requirements is that assumptions are discharged in their context or else propagated outward toward the sensory environment. We briefly discuss extensions of the approach to distributed engine control and avionics systems.

Proving properties of stateflow models using ISO standard z and CADiZ

This paper focuses on the use of ISO Standard Z and CADiZ in the formal validation of Stateflow models against requirements-oriented assumptions. It documents some of what the Simulink/Stateflow Analyser tool does in support of the Practical Formal Specification method. The tool aims to automate the formal validations of the method, so that users of Simulink/Stateflow can benefit from them. The Z exploits some notations that are particular to ISO Standard Z. The automation is aided by quite terse tactics interpreted by CADiZ.

Reasoning about loops in total and general correctness

We introduce a calculus for reasoning about programs in total correctness which blends UTP designs with von Wrights notion of a demonic refinement algebra. We demonstrate its utility in verifying the familiar loop-invariant rule for refining a total-correctness specification by a while loop. Total correctness equates non-termination with completely chaotic behaviour, with the consequence that any situation which admits non-termination must also admit arbitrary terminating behaviour. General correctness is more discriminating in allowing nontermination to be specified together with more particular terminating behaviour. We therefore introduce an analogous calculus for reasoning about programs in general correctness which blends UTP prescriptions with a demonic refinement algebra. We formulate a loop-invariant rule for refining a general-correctness specification by a while loop, and we use our general-correctness calculus to verify the new rule.

Practical Formal Specification for Embedded Control Systems

Abstract Control systems are typically specified in two parts: continuous and discrete. The continuous part is described using control laws; the discrete part is described using statecharts. The models are usually analysed for properties such as stability, and executed (or simulated) to validate them. An overview of a programme known as Practical Formal Specification (PFS) is presented. PFS is intended to extend classical approaches to developing control systems using formal techniques. The paper gives an outline of the principles underlying PFS and describes the realisation of those principles in a formal analysis tool integrated with Simulink and Stateflow.

Undefined Expressions and Logic in Z and B

In this paper we show how undefined expressions and undetermined predicates may arise when using the specification languages Z and B. We review how undefined terms have been handled in various formalisms (Principia Mathematica, Domain Theory, LPF,) and look at the effect of undefined expressions on the proof theory and the denotational meaning of specifications in Z and B. We note that in formal systems which make use of partial functions and have an unguarded equality axiom x = x together with a classical two valued logic it is impossible to have a proof rules of the form y = f(x) ⇒ x ↦ y ∈ f and that consequently, assertions of the form y = f(x) may have very little meaning.

Abstract State Machines: Designing Distributed Systems with State Machines and B

We outline a theory of communicating “Abstract State Machines”. The state of an Abstract State Machine has two components: a behavioural state and a data state. The behavioural states are shown on a state diagram, whose transitions are labelled with an “event” and a B operation. The firing of a transition is synonymous with the occurrence of its associated event. We use a synchronous model of communication based on shared events which simultaneously change the state of each participating machine. The B operation associated with a transition generally has the form G ⟹ S, where a necessary condition for the transition to fire is that G is true, and where S describes any resulting changes in the data state of the Abstract Machine. The paper includes simple examples, the translation of Abstract State Machines to B Action Systems, the translation of Abstract State Machines into “primitive” Abstract State Machines which have only behavioural state, the parallel combination of high level Abstract State Machines, and short notes on choice and refinement.

High-integrity agile processes for the development of safety critical software

Typically, safety critical software systems are developed using plan-driven development processes. Agile processes have evolved to help reduce costs of software development and seek to minimise documentation overheads. For safety critical systems that must undergo certification, documentation is essential. The question this paper addresses is: can a process based on agile principles be used to deliver a safety critical software product, but also the evidence needed to satisfy assurance objectives? The paper makes three contributions. Firstly, it presents an analysis of agile processes and their applicability in this domain. It reviews positive indicators for their use, outlines challenges associated with their deployment and proposes strategies for addressing these challenges. Secondly, it makes a number of recommendations for adapting an agile process to the domain. Finally, the paper reports on an experiment to demonstrate the plausibility of using of an adapted agile process for building a safety critical software system.

Towards a Model-Based Refinement Process for Contractual State Machines

We present a rigorous model-based approach to the stepwise design of contractual state machines, which are a simplified form of state charts extended with declarative specifications. The approach is based on application of a set of refinement patterns, that can be validated against a formal semantics, and that are implemented using update-in-place model transformations. We describe the integrated tool support we are implementing for this model-based approach, and illustrate the approach with small examples.