Chen-Wei Wang

Formal model-driven engineering of critical information systems

Model-driven engineering is the generation of software artefacts from abstract models. This is achieved through transformations that encode domain knowledge and implementation strategies. The same transformations can be used to produce quite different systems, or to produce successive versions of the same system. A model-driven approach can thus reduce the cost of development. It can also reduce the cost of verification: if the transformations are shown or assumed to be correct, each new system or version can be verified in terms of its model, rather than its implementation. This paper introduces an approach to model-driven engineering that is particularly suited to the development of critical information systems. The language of the models, and the language of the transformations, are amenable to formal analysis. The transformation strategy, and the associated development methodology, are designed to preserve systems integrity and availability. Model-driven tools can reduce the cost of development and verification.Information systems can be produced automatically from object oriented designs.A formal, model-driven approach is proposed for use in safety critical systems.A framework is provided for the correctness of model transformations.

Formalizing and Verifying Function Blocks Using Tabular Expressions and PVS

Many industrial control systems use programmable logic controllers (PLCs) since they provide a highly reliable, off-the-shelf hardware platform. On the programming side, function blocks (FBs) are reusable components provided by the PLC supplier that can be combined to implement the required system behaviour. A higher quality system may be realized if the FBs are pre-certified to be compliant with an international standard such as IEC 61131-3. We present an approach to formalizing FB requirements using tabular expressions, and to verifying the correctness of the FBs implementations in the PVS proof environment. We applied our approach to the example FBs of IEC 61131-3 and identified issues in the standard: ambiguous behavioural descriptions, missing assumptions, and erroneous implementations.

Checking Model Consistency Using Data-Flow Testing

In model-driven development, requirements are captured as a specification model, from which a conforming implementation is automatically generated. Model consistency, with respect to requirements, is a primary concern. If the various structural and integrity constraints are inconsistent, then either the model will admit no implementation, or the implementation produced will not behave according to the intended requirements. We present an approach, based upon data-flow testing, to helping developers inspect their models for inconsistency. System models contain classes, attributes, invariants, and methods specified as first-order predicates. We identify for every attribute its intra-method usages. We construct accordingly call sequences demonstrating its inter-method usages. We derive from each call sequence a Boolean constraint, as a test case, ensuring both the execution of the corresponding inter-method usage and the maintenance of invariants. Developers may examine this test suite and compare against their original understandings about the requirements.

A Guarded Workflow Language and Its Formal Semantics

Many information systems hold data of considerable value, and are subject to complex constraints and business rules. In these systems, update operations are often carefully described, to the extent that it is possible to derive a formal specification of their applicability and effect. Where an update is performed by means of a workflow, as a combination of operations, then it may be advantageous to calculate properties of that workflow from the specifications of the operations involved. This paper introduces a formal notation for the description and analysis of workflows, similar to the well-known languages of guarded commands or generalised substitutions. This notation is given a behavioural semantics corresponding to a sequential, transformational view of the information system. This semantics can then be used to determine the suitability of proposed guards---constraints upon the enactment of workflows---and to establish whether one workflow will interfere with the progress of another.

Formal verification of function blocks applied to IEC 61131-3

Many industrial control systems use programmable logic controllers (PLCs) since they provide a highly reliable, off-the-shelf hardware platform. On the programming side, function blocks (FBs) are reusable components provided by the PLC supplier that can be combined to implement the required system behaviour. A higher quality system may be realized if the FBs are pre-certified to be compliant with an international standard such as IEC 61131-3. We present an approach: 1) to create complete and unambiguous FB requirements using tabular expressions; and 2) to verify the consistency and correctness of FB implementations in the PVS proof environment. We apply our approach to the examples in the informative Appendix F of the IEC 61131-3 standard. We examined the entire library of FBs and their supplied implementations described in structured text (ST) and function block diagrams (FBDs). Our approach identified issues in the informative examples, including: a) ambiguous behavioural descriptions; b) missing assumptions; and c) inconsistent implementations. We also proposed solutions to these issues. We use tabular expressions to formalize requirements of IEC 61131-3 function blocks.We use PVS to formalize structured text and FB diagram implementations in IEC 61131-3.We formally verify the consistency and correctness for all FBs in IEC 61131-3.Using our approach, numerous issues are found in IEC 61131-3 and solutions are suggested.

Formal Verification of Real-Time Function Blocks Using PVS.

A critical step towards certifying safety-critical systems is to check their conformance to hard real-time requirements. A promising way to achieve this is by building the systems from pre-verified components and verifying their correctness in a compositional manner. We previously reported a formal approach to verifying function blocks (FBs) using tabular expressions and the PVS proof assistant. By applying our approach to the IEC 61131-3 standard of Programmable Logic Controllers (PLCs), we constructed a repository of precise specification and reusable (proven) theorems of feasibility and correctness for FBs. However, we previously did not apply our approach to verify FBs against timing requirements, since IEC 61131-3 does not define composite FBs built from timers. In this paper, based on our experience in the nuclear domain, we conduct two realistic case studies, consisting of the software requirements and the proposed FB implementations for two subsystems of an industrial control system. The implementations are built from IEC 61131-3 FBs, including the on-delay timer. We find issues during the verification process and suggest solutions.

Formal and Model-Based Testing of Concurrent Workflows

The design of an information system will involve a number of structural and semantic integrity constraints. One way to ensure that these constraints are maintained is through the calculation and implementation of a guard for each operation: a condition sufficient for all integrity constraints to be maintained, checked before the operation is performed, if the guard evaluates false, then the operation will be blocked or rejected. The information required for the calculation of operation guards can be used also to calculate the effect of workflows: compositions or patterns of guarded operations. The multiplication of states and entities, for arbitrary, parallel compositions of operations and workflows, makes exhaustive analysis impractical. This paper shows how the precise specification of operations and workflows can be used instead to select particular scenarios for calculating effects at the model level, or for generating test cases at the implementation level. The result is an analysis and testing methodology for guarded workflows.

Using Indexed and Synchronous Events to Model and Validate Cyber-Physical Systems.

Timed Transition Models (TTMs) are event-based descriptions for modelling, specifying, and verifying discrete real-time systems. An event can be spontaneous, fair, or timed with specified bounds. TTMs have a textual syntax, an operational semantics, and an automated tool supporting linear-time temporal logic. We extend TTMs and its tool with two novel modelling features for writing high-level specifications: indexed events and synchronous events. Indexed events allow for concise description of behaviour common to a set of actors. The indexing construct allows us to select a specific actor and to specify a temporal property for that actor. We use indexed events to validate the requirements of a train control system. Synchronous events allow developers to decompose simultaneous state updates into actions of separate events. To specify the intended data flow among synchronized actions, we use primed variables to reference the post-state (i.e., one resulted from taking the synchronized actions). The TTM tool automatically infers the data flow from synchronous events, and reports errors on inconsistencies due to circular data flow. We use synchronous events to validate part of the requirements of a nuclear shutdown system. In both case studies, we show how the new notation facilitates the formal validation of system requirements, and use the TTM tool to verify safety, liveness, and real-time properties.

TTM/PAT: Specifying and Verifying Timed Transition Models

Timed Transition Models (TTMs) are event-based descriptions for specifying real-time systems in a discrete setting. We propose a convenient and expressive event-based textual syntax for TTMs and a corresponding operational semantics using labelled transition systems. A system is specified as a composition of module instances. Each module has a clean interface for declaring input, output, and shared variables. Events in a module can be specified, individually, as spontaneous, fair or real-time. An event action specifies a before-after predicate by a set of (possibly non-deterministic) assignments and nested conditionals. The TTM assertion language, linear-time temporal logic (LTL), allows references to event occurrences, including clock ticks (thus allowing for a check that the behaviour is non-Zeno). We implemented a model checker for the TTM notation (using the PAT framework) that includes an editor with static type checking, a graphical simulator, and a LTL verifier. The tool automatically derives the tick transition and implicit event clocks, removing the burden of manual encoding them. The TTM tool performs significantly better on a nuclear shutdown system than the manually encoded versions analyzed in [6].

Precise Documentation and Validation of Requirements

Precise documentation of requirements is important for developing and certifying mission critical software. We specify cyber-physical systems via an Event-B-like machine which declar es the monitored and controlled variables and their initial condition. A machine event models the joint action of the plant and the controller. Embedded in the event action is a function table that specifies the input-output behaviour of the controller, as monitored variables are periodically updated by the plant. We extend the Event-B notation with queries and modules. The resulting machine provides us with a mathematical description of the overall system behaviour, thus allowing us to validate the requirements by proving that (1) the input-output specification of the controller is complete, disjoint and well-defined, and that (2) the machine satisfies system-wide consistency invariants elicited from domain experts. A biomedical device is used as a case study, and we mechanize proofs via a SMT solver.