Peter Herrmann

A framework for modeling transfer protocols

The notion of specification frameworks transposes the framework approach from software development to the level of formal modeling and analysis. A specification framework is devoted to a special application domain. It supplies reusable specification modules and guides the construction of specifications. Moreover, it provides theorems to be used as building blocks of verifications. By means of a suitable framework, specification and verification tasks can be reduced to the selection, parametrization and combination of framework elements resulting in a substantial support which opens formal analysis even for real-sized problems. The transfer protocol framework addressed here is devoted to the design of data transfer protocols. Specifications of used and provided communication services as well as protocol specifications can be composed from its specification modules. The theorems correspond to the relations between protocol mechanism combinations and those properties of the provided service which are implemented by them. This article centers on the application of this framework which is discussed with the help of the specification of a sliding window protocol. Moreover the structure of its verification is described. The specification and verification technique applied is based on L. Lamport’s temporal logic of actions (TLA). We use the variant cTLA which particularly supports the modeling of process systems. ” 2000 Elsevier Science B.V. All rights reserved.

Compositional specification and verification of high-speed transfer protocols

Transfer protocols are composed from basic protocol mechanisms and accordingly a complex protocol can be verified by a series of relatively simple mechanism proofs. Our approach applies L. Lamport’s Temporal Logic of Actions (TLA). It is based on a modular compositional TLA-style and supports the analysis of flexibly configured high-speed transfer protocols.

Compositional specification and structured verification of hybrid systems in cTLA

Many modern chemical plants have to be modelled as complex hybrid systems consisting of various continuous and event-discrete components. Besides the modular and easy to read specification, the formal verification of required properties (e.g., safety properties) is a major problem, due to the complexity of the models. In practice, mostly informal argumentations exist which show that certain properties hold. The informal argumentation for one specific property does not deal with the complex system model as a whole but considers specific parts and aspects only. Our approach supports formal proofs which correspond to the informal argumentations even with respect to the use of subsystems only. It is based on the specification language cTLA supporting modular descriptions of hybrid systems. We outline cTLA and introduce the approach by means of a hybrid example system.

Re-usable verification elements for high-speed transfer protocol configurations

Presently, many communication protocols are under development which are tailored to the efficient high-speed data transfer meeting different application-specific requirements. Our approach concentrates on a framework which facilitates the formal verification of the protocols. The framework supplies verified and re-usable implications between predefined protocol and service specification components. For the verification of a specific protocol, protocol, service and medium can be modelled as compositions of framework specification components. The verification corresponds to proving that the system of protocol and medium implies the service. This implication can be proven by combining component implications of the framework. We apply L. Lamport’s Temporal Logic of Actions (TLA) and use a TLA specification style supporting the compositional specification of process systems and the inference of system properties from process properties.

Approaches to the Formal Verification of Hybrid Systems

This paper presents two different approaches to the problem of formally verifying the correctness of control systems which consist of a logic controller and a continuous plant and, thus, constitute a hybrid system. One approach aims at algorithmic verification and combines Condition/Event Systems with Timed Automata. The first framework is used to model the controller and the plant in a block-diagram representation, which is then translated into the latter model for analysis by available tools. A second approach is presented which is based on deductive verification. It allows for a structured analysis of compositional specifications formulated in a temporal logic called cTLA. This logic is a compositional style of the Temporal Logic of Actions established in Computer Science by Lamport. Both approaches are introduced using a common example and the results of their application are discussed. As an outlook, a possible strategy for integrating algorithmic and deductive verification of hybrid systems is sketched at the end of the paper.

Modular specification and verification of XTP

The transfer protocol framework supports the formal specification and verification of data transfer protocols. It consists of generic specification modules and theorems. Compositions of specification module instances result in well-structured specifications which describe a protocol, the medium used, and the service provided by means of TLA formulas. The protocol verification is based on the proof of the logical implication between protocol and service specification. Due to the modular structuring of the specifications, this proof can be decomposed into a set of subimplications which correspond directly to theorems of the framework. Therefore, the development of formal specifications as well as the protocol verification can be reduced to the instantiation and arrangement of framework elements. The flexibility of the framework opens its application for a broad spectrum of data transfer protocols. We outline the principles of the framework and concentrate on its application to the high-speed transfer protocol XTP. Because of the framework support, the formal modeling and analysis of this modern and function-rich protocol was manageable and identifies deficiencies of the current protocol definition clearly.

A framework for the hazard analysis of chemical plants

We develop a framework supporting the formal hazard analysis of chemical plants. It provides generic specification modules for the description of safety properties, specification modules for the description of plant models, and theorems stating that certain subsystem structures of the plant model imply certain safety properties. Using the framework for hazard analysis, one first describes the plant and its control equipment as a composition of framework module instances. Then, one expresses the different safety properties of interest by parametrized framework modules. Finally, a safety property is proven when an appropriate theorem instance of the framework can be found. Thus, the framework facilitates the formal modeling. Moreover, the efforts for formal verifications are reduced drastically since framework theorem instances can replace explicit proofs. The framework utilizes modular temporal logic specifications supported by the specification language cTLA, and in particular is devoted to the compositional description of process systems.

Framework and Tool Support for Formal Verification of Highspeed Transfer Protocol Designs

Formal description techniques, verification methods, and their tool-based automated application meanwhile provide valuable support for the formal analysis of communication protocol designs. Nevertheless the practical analysis of modern protocols still requires relatively great efforts and therefore many protocol developments do not employ formal methods. In that context the transfer protocol framework aims to complementary support. It supplies a rich collection of specification modules and guides their efficient composition to service and protocol specifications. Moreover the functional relations between service properties and implementing protocol mechanisms have been investigated systematically. The framework provides a collection of corresponding theorems to be applied to protocol correctness proofs. In result protocol verification can be reduced to the selection, instantiation, and proper arrangement of framework theorems. The verification process can further be supported by special tool-assistance. The tool COAST identifies the compositional structure of a protocol specification mechanically and selects according framework theorems. It splits service property proofs into arrangements of subproofs where the subproofs can mainly be accomplished by application of the selected framework theorems. After outlining the general transfer protocol framework approach we concentrate on the introduction of the tool COAST. We describe its functions and clarify its application by means of the verification of the complex real-life high-speed data transfer protocol XTP.

Specification of hybrid systems in cTLA

cTLA+ is a compositional specification and verification technique which is based on Leslie Lamports (1994) Temporal Logic of Actions TLA. cTLA+ supports modular process type definitions and the composition of processes to systems. Processes can model components of an implementation. Moreover they can represent modular logical constraints. Constraint-oriented structures of system specifications are of particular interest, since they can help to decompose verifications into manageable subtasks. In order to support the constraint-oriented description of hybrid systems, we developed suitable extensions of cTLA+ which cover real-time and continuous properties. We give an outline of cTLA+ and demonstrate the hybrid extensions by means of a small example. Also, the example gives a first impression of constraint-oriented specification structures of hybrid systems.

Formal hazard analysis of hybrid systems in cTLA

Hybrid systems like computer-controlled chemical plants are typical safety critical distributed systems. In present practice, the safety of hybrid systems is guaranteed by hazard analysis which is performed according to procedures (e.g., Ha/sub 2/Op) where experts discuss a series of informal argumentations. Each argumentation considers a specific required system property. Formal property proofs can increase the reliability. They, however have often to deal with very complex hybrid systems. Therefore, methods are needed which structure and decompose formal verification tasks into manageable subtasks. With respect to this, our approach achieves a relatively direct translation of informal argumentations into formal proofs. Since the informal argumentations mostly do not refer to the system as a whole but do only address specific parts and aspects, the formal proofs also can deal with partial, less complex system models. In result even very complex systems can be verified in well-manageable subtasks. The direct translation is supported by the characteristics of the specification technique applied. The temporal logic based technique cTLA supports the modular description of hybrid process systems. In particular one can model a system as a composition of behavior constraints. Properties which are implied by a subsystem of constraints also are properties of the system as a whole. Therefore a subsystem can correspond to the parts and aspects addressed by an informal argumentation. We outline cTLA and introduce the formalization of hazard analysis argumentations by means of a hybrid example system. Additionally, we sketch a framework of specification modules and theorems which supports the formal hazard analysis of hybrid systems.