Jonathan S. Ostroff

Formal methods for the specification and design of real-time safety critical systems

Abstract Safety-critical computers increasingly affect nearly every aspect of our lives. Computers control the planes we fly on, monitor our health in hospitals and do our work in hazardous environments. Computers with software deficiencies that fail to meet stringent timing constraints have resulted in catastrophic failures. This article surveys formal methods for specifying, designing, and verifying real-time systems so as to improve their safety and reliability.

Deciding properties of timed transition models

Real-time distributed systems are modeled by a times transition model (TTM). For any finite-state TTM, decision procedures are provided for checking a small but important class of properties (specified in real-time temporal logic). The procedures are linear in the size of the system reachability graph. The class of properties includes invariance, precedence, eventuality and real-time response specifications. >

Metamodel-based model conformance and multiview consistency checking

Model-driven development, using languages such as UML and BON, often makes use of multiple diagrams (e.g., class and sequence diagrams) when modeling systems. These diagrams, presenting different views of a system of interest, may be inconsistent. A metamodel provides a unifying framework in which to ensure and check consistency, while at the same time providing the means to distinguish between valid and invalid models, that is, conformance. Two formal specifications of the metamodel for an object-oriented modeling language are presented, and it is shown how to use these specifications for model conformance and multiview consistency checking. Comparisons are made in terms of completeness and the level of automation each provide for checking multiview consistency and model conformance. The lessons learned from applying formal techniques to the problems of metamodeling, model conformance, and multiview consistency checking are summarized.

Principles for modeling language design

Modeling languages, like programming languages, need to be designed if they are to be practical, usable, accepted, and of lasting value. We present principles for the design of modeling languages. To arrive at these principles, we consider the intended use of modeling languages. We conject that the principles are applicable to the development of new modeling languages, and for improving the design of existing modeling languages that have evolved, perhaps through a process of unification. The principles are illustrated and explained by several examples, drawing on object-oriented and mathematical modeling languages.

Synthesis of controllers for real-time discrete event systems

A (possibly infinite-state) real-time discrete-event plant is modeled as a timed transition system. The free (uncontrolled) behavior of the plant is usually unsatisfactory in some important respect. A specification (written in real-time temporal logic) of required plant behavior is therefore to be imposed on the plant. The key result is a controller development procedure which shows how to systematically develop control strategies for a class of safety properties. The procedure isolates the unsafe part of the behavior, and gives a set of conditions under which the unsafe behavior can be made safe. If the conditions are satisfied, then the plant is guaranteed to satisfy the required specification. The states of the system are not explicitly represented in the design procedure; instead, predicates and predicate transformers, are used to overcome some of the problems of combinatorial explosion of states in large systems.<<ETX>>

A visual toolset for the design of real-time discrete-event systems

StateTime is a prototype toolset that supports the design of verified real-time discrete-event systems using executable visual state descriptions (the Build tool). Visual state descriptions allow the designer to browse and understand the structure of the system. A timing hierarchy of spontaneous, just, and forced timed events, and a variety of computational notions such as concurrency, hierarchy, nondeterminism, process interaction, and communication can be represented. The combination of model-checking (the Verify tool) and theorem proving allows for the treatment of finite and infinite state systems. The toolset is illustrated with a shutdown controller of a reactor, as taken from an actual industrial requirements document in which the system is described informally using a mixture of English descriptions, timing diagrams, and pseudocode. Using StateTime, a unified precise description of the shutdown reactor is obtained, which can then be checked automatically for conformance with its requirements.

A temporal logic approach to real time control

Discrete event systems in such areas as process control, flexible manufacturing systems and computer networks require real time distributed computer control to ensure an orderly flow of events. A temporal logic framework for the specification, analysis and verification of such control systems is discussed. Controllers are implemented in the Pascal based distributed language CONIC.

A logic for real-time discrete event processes

Temporal logic can be used to design controllers for real-time discrete event systems. The underlying plant dynamics is most economically described by a state transition structure with time bounds on the transitions. Temporal logic can then be used to specify the problem to be solved and help in the derivation and verification of a suitable controller. The author discusses the nature of real-time discrete event processes, examines the software verification literature, gives a brief overview of the model and logic framework, and provides a small example of controller design.<<ETX>>

Composition and refinement of discrete real-time systems

Reactive systems exhibit ongoing, possibly nonterminating, interaction with the environment. Real-time systems are reactive systems that must satisfy quantitative timing constraints. This paper presents a structured compositional design method for discrete real-time systems that can be used to combat the combinatorial explosion of states in the verification of large systems. A composition rule describes how the correctness of the system can be determined from the correctness of its modules, without knowledge of their internal structure. The advantage of compositional verification is clear. Each module is both simpler and smaller than the system itself. Composition requires the use of both model-checking and deductive techniques. A refinement ruleguarantees that specifications of high-level modules are preserved by their implementations. The StateTime toolset is used to automate parts of compositional designs using a combination of model-checking and simulation. The design method is illustrated using a reactor shutdown system that cannot be verified using the StateTime toolset (due to the combinatorial explosion of states) without compositional reasoning. The reactor example also illustrates the use of the refinement rule.

Contracts for concurrency

The SCOOP model extends the Eiffel programming language to provide support for concurrent programming. The model is based on the principles of Design by Contract. The semantics of contracts used in the original proposal (SCOOP_97) is not suitable for concurrent programming because it restricts parallelism and complicates reasoning about program correctness. This article outlines a new contract semantics which applies equally well in concurrent and sequential contexts and permits a flexible use of contracts for specifying the mutual rights and obligations of clients and suppliers while preserving the potential for parallelism. We argue that it is indeed a generalisation of the traditional correctness semantics. We also propose a proof technique for concurrent programs which supports proofs—similar to those for traditional non-concurrent programs—of partial correctness and loop termination in the presence of asynchrony.