Tobe Toben

On the expressive power of live sequence charts

The Live Sequence Charts (LSC) language is a formally rigorous variant of the well-known scenario language Message Sequence Charts (MSC). LSCs yield expressive power by means to distinguish mandatory and scenario behaviour, means to characterise by another scenario the context in which a specification applies, and means to distinguish required from possible progress, i.e. to require liveness. From the original proposal by Damm & Harel [1], two slightly different dialects emerged, one in the context of LSC play-in and -out [2] and one for the use of LSCs as formal requirements specification language in formal, model-based approaches to software development [3]. In this paper, we investigate the expressive power of LSCs in the sense of [3]. That is, we first (constructively) show that for each LSC there is an equivalent CTL * formula. Complementing existing work, we show that the containment is strict, that is, not each CTL* formula has an equivalent LSC. To complete the discussion, we present for the first time a way back, from a syntactically characterised fragment of CTL* to the subset of bonded LSC specifications, thereby establishing an equivalence.

Mind the shapes: abstraction refinement via topology invariants

Dynamic Communication Systems (DCS) are infinite state systems where an unbounded number of processes operate in an evolving communication topology. For automated verification of properties of DCS, finitary abstractions based on exploiting symmetry can be employed. However, these abstractions give rise to spurious behaviour that often inhibits to successfully prove relevant properties. In this paper, we propose to combine a particular finitary abstraction with global system invariants obtained by abstract interpretation. These system invariants establish an over-approximation of possible communication topologies occurring at runtime, which can be used to identify and exclude spurious behaviour introduced by the finitary abstraction, which is thereby refined. Based on a running example of car platooning, we demonstrate that our approach allows to verify temporal DCS properties that no technique in isolation is able to prove.

The good, the bad and the ugly: well-formedness of live sequence charts

The Life Sequence Chart (LSC) language is a conservative extension of the well-known visual formalism of Message Sequence Charts. An LSC specification formally captures requirements on the inter-object behaviour in a system as a set of scenarios. As with many languages, there are LSCs which are syntactically correct but insatisfiable due to internal contradictions. The authors of the original publication on LSCs avoid this problem by restricting their discussion to well-formed LSCs, i.e. LSCs that induce a partial order on their elements. This abstract definition is of limited help to authors of LSCs as they need guidelines how to write well-formed LSCs and fast procedures that check for the absence of internal contradictions. To this end we provide an exact characterisation of well-formedness of LSCs in terms of concrete syntax as well as in terms of the semantics-giving automata. We give a fast graph-based algorithm to decide well-formedness. Consequently we can confirm that the results on the complexity of a number of LSC problems recently obtained for the subclass of well-formed LSCs actually hold for the set of all LSCs.

Concurrent LSC Verification

Partially Ordered Symbolic Automata (POSAs) are used as the semantical foundation of visual formalisms like the scenario based language of Live Sequence Charts (LSCs). To check whether a model satisfies an LSC requirement, the LSCs POSA can be composed in parallel to the model as an observer automaton or it can be translated to a CTL or LTL formula. Thus by the well-known complexity properties of CTL and LTL model-checking, the size of an LSCs POSA directly contributes to the runtime of the model-checking task. The size grows with the concurrency allowed by the LSC, e.g. when the observation order of LSC elements is relaxed by enclosing the elements in a coregion. We investigate decomposition properties of POSAs with deterministic states, i.e. states with disjointly annotated outgoing transitions. We devise a procedure to decompose a POSA with deterministic states into a set of POSAs whose intersection language is equal to the language of the original POSA. When decomposing at dominating states, the obtained POSAs are strictly smaller. As the majority of states in POSAs obtained for LSCs are deterministic and dominating, model-checking of LSCs can effectively be distributed.

Verification and Synthesis of OCL Constraints Via Topology Analysis

On the basis of a case-study, we demonstrate the usefulness of topology invariants for model-driven systems development. Considering a graph grammar semantics for a relevant fragment of UML, where a graph represents an object diagram, allows us to apply Topology Analysis, a particular abstract interpretation of graph grammars. The outcome of this analysis is a finite and concise over-approximation of all possible reachable object diagrams, the so-called topology invariant. We discuss how topology invariants can be used to verify that constraints on a given model are respected by the behaviour and how they can be viewed as synthesised constraints providing insight into the dynamic behaviour of the model.

Safe Autonomous Transport Vehicles in Heterogeneous Outdoor Environments

Autonomous transport vehicles (AGVs) steadily gain importance in logistics and factory automation. Currently, the systems are mainly operating in indoor scenarios at limited speeds, but with the evolution of navigation capabilities and obstacle avoidance techniques, AGVs have reached a degree of autonomy that, from a technical perspective, allows their operation beyond closed work environments. The major hurdle to overcome is to be able to guarantee the required safety level for industrial applications. In this paper, we propose a general architecture for AGVs that formalizes the current safety concept and extends it to vehicles driving at higher speeds in outdoor environments. Technically, the additional safety level is achieved by integrating information from stationary sensors in order to increase the perception of the vehicles.