Iulia Dragomir

Compositional Semantics and Analysis of Hierarchical Block Diagrams

We present a compositional semantics and analysis framework for hierarchical block diagrams (HBDs) in terms of atomic and composite predicate transformers. Our framework consists of two components: (1) a compiler that translates Simulink HBDs into an algebra of transformers composed in series, in parallel, and in feedback; (2) an implementation of the theory of transformers and static analysis techniques for them in Isabelle. We evaluate our framework on several case studies including a benchmark Simulink model by Toyota.

Unambiguous UML composite structures: the OMEGA2 experience

Starting from version 2.0, UML introduced hierarchical composite structures, which are a very expressive way of defining complex software architectures, but which have a very loosely defined semantics in the standard. In this paper we propose a set of consistency rules that ensure UML composite structures are unambiguous and can be given a precise semantics. Our primary application of the static consistency rules defined in this paper is within the OMEGA UML profile [6], but these rules are general and applicable to other hierarchical component models based on the same concepts, such as MARTE GCM or SysML. The rule set has been formalized in OCL and is currently used in the OMEGA UML compiler.

OMEGA2: A New Version of the Profile and the Tools

In previous work we contributed to the definition of an executable profile of UML, called OMEGA UML, dedicated to the formal specification and validation of real-time systems. The prominent features of OMEGA UML are (1) a small and coherent set of concepts for describing the architecture and the behaviour of a system, (2) means for formalizing the properties of the system, in particular timing properties, and (3) a well-behaved concurrent execution model suited for real-time applications. To meet user demands, the profile has recently been updated to include hierarchical composite structures (part of the standard UML 2. x specification) and new concurrency structures. The new version (OMEGA2) is in line with the original principles: simplicity, well-defined operational semantics and tool support for simulation and verification (IFx version 2). The present paper contains an overview of both the profile and the tool.

A Case Study in Formal System Engineering with SysML

In the development of complex critical systems, an important source of errors is the misinterpretation of system requirements allocated to the software, due to inadequate communication between system engineering teams and software teams. In response, organizations that develop such systems are searching for solutions allowing formal system engineering and system to software bridging, based on standard languages like SysML. As part of this effort, we have defined a formal profile for SysML (OMEGA SysML) and we have built a simulation and verification toolbox for this profile (IFx). This paper reports on the experience of modelling and validating an industry-grade system, the Solar Generation System (SGS) of the Automated Transfer Vehicle (ATV) built by Astrium, using IFx-OMEGA. The experience reveals what can currently be expected from such an approach and what are the weak points that should be addressed by future research and development.

UML/SysML semantic tunings

Recent years have seen a manifest increase in the use of modelling by the embedded systems industry. UML and SysML are two examples of languages used in this context. One of the reasons why the use of models is interesting is the possibility to perform early verification, validation and testing. A lot of work was devoted to developing theoretical results in verification and validation, and interesting results are available. Integrating these results in frameworks that take high-level models as an entry remains a challenging task, for several reasons that include the difficult scalability of the theoretical results. In previous work, we presented OMEGA 2, a framework that takes this challenge. Applying our framework on large industrial models revealed the fact that some features of the UML/SysML semantics which lead to bottlenecks in verification are not actually necessary in the models that we considered, thus leaving place for optimisations. This paper discusses the gap existing between the choices made in the general UML/SysML semantic framework and the actual needs of the users. We illustrate it based on the semantics of ports, for which we give a simplified version of the semantics. This semantics was implemented in our tools and we quantify the optimisation obtained when applying it to a set of case studies.

Safety Contracts for Timed Reactive Components in SysML

A variety of system design and architecture description languages, such as SysML, UML or AADL, allows the decomposition of complex system designs into communicating timed components. In this paper we consider the contract-based specification of such components. A contract is a pair formed of an assumption, which is an abstraction of the component’s environment, and a guarantee, which is an abstraction of the component’s behavior given that the environment behaves according to the assumption. Thus, a contract concentrates on a specific aspect of the component’s functionality and on a subset of its interface, which makes it relatively simpler to specify. Contracts may be used as an aid for hierarchical decomposition during design or for verification of properties of composites. This paper defines contracts for components formalized as a variant of timed input/output automata, introduces compositional results allowing to reason with contracts and shows how contracts can be used in a high-level modeling language (SysML) for specification and verification, based on an example extracted from a real-life system.

Type Inference of Simulink Hierarchical Block Diagrams in Isabelle

Simulink is a de-facto industrial standard for embedded system design. In previous work, we developed a compositional analysis framework for Simulink, the Refinement Calculus of Reactive Systems (RCRS), which allows checking compatibility and substitutability of components. However, standard type checking was not considered in that work. In this paper we present a method for the type inference of Simulink models using the Isabelle theorem prover. A Simulink diagram is translated into an (RCRS) Isabelle theory. Then Isabelle’s powerful type inference mechanism is used to infer the types of the diagram based on the types of the basic blocks. One of the aims is to handle formally as many diagrams as possible. In particular, we want to be able to handle even those diagrams that may have typing ambiguities, provided that they are accepted by Simulink. This method is implemented in our toolset that translates Simulink diagrams into Isabelle theories and simplifies them. We evaluate our technique on several case studies, most notably, an automotive fuel control system benchmark provided by Toyota.

Contract-based modeling and verification of timed safety requirements within SysML

In order to cope with the growing complexity of critical real-time embedded systems, systems engineering has adopted a component-based design technique driven by requirements. Yet, such an approach raises several issues since it does not explicitly prescribe how system requirements can be decomposed on components nor how components contribute to the satisfaction of requirements. The envisioned solution is to design, with respect to each requirement and for each involved component, an abstract specification, tractable at each design step, that models how the component is concerned by the satisfaction of the requirement and that can be further refined toward a correct implementation. In this paper, we consider such specifications in the form of contracts. A contract for a component consists in a pair (assumption, guarantee) where the assumption models an abstract behavior of the component’s environment and the guarantee models an abstract behavior of the component given that the environment behaves according to the assumption. Therefore, contracts are a valuable asset for the correct design of systems, but also for mapping and tracing requirements to components, for tracing the evolution of requirements during design and, most importantly, for compositional verification of requirements. The aim of this paper is to introduce contract-based reasoning for the design of critical real-time systems made of reactive components modeled with UML and/or SysML. We propose an extension of UML and SysML languages with a syntax and semantics for contracts and the refinement relations that they must satisfy. The semantics of components and contracts is formalized by a variant of timed input/output automata on top of which we build a formal contract-based theory. We prove that the contract-based theory is sound and can be applied for a relatively large class of SysML system models. Finally, we show on a case study extracted from the automated transfer vehicle (http://www.esa.int/ATV) that our contract-based theory allows to verify requirement satisfaction for previously intractable models.