Werner Damm

LSCs: Breathing Life into Message Sequence Charts

While message sequence charts (MSCs) are widely used in industry to document the interworking of processes or objects, they are expressively quite weak, being based on the modest semantic notion of a partial ordering of events as defined, e.g., in the ITU standard. A highly expressive and rigorously defined MSC language is a must for serious, semantically meaningful tool support for use-cases and scenarios. It is also a prerequisite to addressing what we regard as one of the central problems in behavioral specification of systems: relating scenario-based inter-object specification to state-machine intra-object specification. This paper proposes an extension of MSCs, which we call live sequence charts (or LSCs),since our main extension deals with specifying “liveness”, i.e., things that must occur. In fact, LSCs allow the distinction between possible and necessary behavior both globally, on the level of an entire chart and locally, when specifying events, conditions and progress over time within a chart. This also makes it possible to specify forbidden scenarios, and strengthens structuring constructs like as subcharts, branching and iteration.

The IO- and OI-hierarchies

Abstract An analysis of recursive procedures in ALGOL 68 with finite modes shows, that a denotational semantics of this language can be described on the level of program schemes using a typed λ-calculus with fixed-point operators . In the first part of this paper, we derive classical schematological theorems for the resulting class of level-n schemes . In part two, we investigate the language families obtained by call-by-value and call-by-name interpretation of level- n schemes over the algebra of formal languages. It is proved, that differentiating according to the functional level of recursion leads to two infinite hierarchies of recursive languages, the IO - and OI-hierarchies , which can be characterized as canonical extensions of the regular, context-free, and IO- and OI-macro languages, respectively. Sufficient conditions are derived to establish strictness of IO-like hierarchies . Finally we derive, that recursion on higher types induces an infinite hierarchy of control structures by proving that level- n schemes are strictly less powerful than level- n +1 schemes.

Taming Dr. Frankenstein: Contract-Based Design for Cyber-Physical Systems

Cyber-physical systems combine a cyber side (computing and networking) with a physical side (mechanical, electrical, and chemical processes). In many cases, the cyber component controls the physical side using sensors and actuators that observe the physical system and actuate the controls. Such systems present the biggest challenges as well as the biggest opportunities in several large industries, including electronics, energy, automotive, defense and aerospace, telecommunications, instrumentation, industrial automation. Engineers today do successfully design cyber-physical systems in a variety of industries. Unfortunately, the development of systems is costly, and development schedules are difficult to stick to. The complexity of cyber-physical systems, and particularly the increased performance that is offered from interconnecting what in the past have been separate systems, increases the design and verification challenges. As the complexity of these systems increases, our inability to rigorously model the interactions between the physical and the cyber sides creates serious vulnerabilities. Systems become unsafe, with disastrous inexplicable failures that could not have been predicted. Distributed control of multi-scale complex systems is largely an unsolved problem. A common view that is emerging in research programs in Europe and the US is “enabling contract-based design (CBD),” which formulates a broad and aggressive scope to address urgent needs in the systems industry. We present a design methodology and a few examples in controller design whereby contract-based design can be merged with platform-based design to formulate the design process as a meet-in-the-middle approach, where design requirements are implemented in a subsequent refinement process using as much as possible elements from a library of available components. Contracts are formalizations of the conditions for correctness of element integration (horizontal contracts), for lower level of abstraction to be consistent with the higher ones, and for abstractions of available components to be faithful representations of the actual parts (vertical contracts).

A Compositional Real-Time Semantics of STATEMATE Designs

This paper presents a reference semantics for a verication tool currently under development allowing to verify temporal properties of embedded control sys- tems modelled using the StateMate system. The semantics reported divert from others reported in the literature [24] by faithfully modelling the semantics as supported in the StateMate simulation tool. It divers from the recent paper by Harel and Naamad [8] by providing a compositional semantics, a prerequisite for the support of compositional verication methods, and by the degree of math- ematical rigour. We use a variant of synchronous transition systems introduced by Manna and Pnueli [18] as base model for our semantics.

Using contract-based component specifications for virtual integration testing and architecture design

We elaborate on the theoretical foundation and practical application of the contract-based specification method originally developed in the Integrated Project SPEEDS [11], [9] for two key use cases in embedded systems design. We demonstrate how formal contract-based component specifications for functional, safety, and real-time aspects of components can be expressed using the pattern-based requirement specification language RSL developed in the Artemis Project CESAR, and develop a formal approach for virtual integration testing of composed systems based on such contract-specifications of subsystems. We then present a methodology for multi-criteria architecture evaluation developed in the German Innovation Alliance SPES on Embedded Systems.

Guidelines for a graduate curriculum on embedded software and systems

The design of embedded real-time systems requires skills from multiple specific disciplines, including, but not limited to, control, computer science, and electronics. This often involves experts from differing backgrounds, who do not recognize that they address similar, if not identical, issues from complementary angles. Design methodologies are lacking in rigor and discipline so that demonstrating correctness of an embedded design, if at all possible, is a very expensive proposition that may delay significantly the introduction of a critical product. While the economic importance of embedded systems is widely acknowledged, academia has not paid enough attention to the education of a community of high-quality embedded system designers, an obvious difficulty being the need of interdisciplinarity in a period where specialization has been the target of most education systems. This paper presents the reflections that took place in the European Network of Excellence Artist leading us to propose principles and structured contents for building curricula on embedded software and systems.

An automata-theoretical characterization of the OI-hierarchy

This paper gives an automata-theoretical characterization of the OI-hierarchy ( Damm (1982) , Engelfriet and Schmidt (1977) , Wand (1975) ). This hierarchy is generated by so-called level- n grammars which are natural generalizations from context free and macro grammars in that their nonterminals are treated as functionals of higher type, i.e., they are allowed to carry up to n levels of parameters. The automata model used for this characterization is the n -iterated pushdown automaton. Its characteristic feature is the storage structure which consists of a nesting of pushdowns up to nesting depth n . The equivalence proof is given constructively, its method is illustrated using examples. By viewing level- n grammars as modeling recursive procedures on higher types the iterated pushdown automation thus provides an operational model for the run-time behavior of procedures defined by recursion on higher types which makes the results of this paper interesting not only from a language theoretical point of view.

Understanding UML: A Formal Semantics of Concurrency and Communication in Real-Time UML

We define a subset krtUML of UML which is rich enough to express all behavioural modelling entities of UML used for real-time applications, covering such aspects as active objects, dynamic object creation and destruction, dynamically changing communication topologies in inter-object communication, asynchronous signal based communication, synchronous communication using operation calls, and shared memory communication through global attributes. We define a formal interleaving semantics for this kernel language by associating with each model M ∈ krtUML a symbolic transition system STS(M). We outline how to compile industrial real-time UML models making use of generalisation hierarchies, weak- and strong aggregation, and hierarchical state-machines into krtUML, and propose modelling guidelines for real-time applications of UML. This work provides the semantical foundation for formal verification of real-time UML models described in the companion paper [11].

A discrete-time UML semantics for concurrency and communication in safety-critical applications

We define a subset krtUML of UML which is rich enough to express such modelling entities of UML, used in real-time applications, as active objects, dynamic object creation and destruction, dynamically changing communication topologies, combinations of synchronous and asynchronous communication, and shared memory usage through object attributes. We define a formal interleaving semantics for this kernel language by associating with each model M ∈ krtUML a symbolic transition system STS(M). We briefly outline how to compile models of industrial systems making use of generalisation hierarchies, weak and strong aggregation, and hierarchical state-machines into krtUML. The main aim of the paper is to provide an executable semantics for krtUML suitable for the formal verification of temporal model properties with existing model-checking tools.

Verification of cooperating traffic agents

This paper exploits design patterns employed in coordinating autonomous transport vehicles in order to ease the burden in verifying cooperating hybrid systems. The presented verification methodology is equally applicable for avionics applications (such as the traffic alert and collision avoidance system (TCAS)), train applications (such as the European train control system (ETCS)), or automotive applications (such as platooning). We present a verification rule explicating the essence of employed design patterns, guaranteeing global safety properties of the kind “a collision will never occur”, and whose premises can either be established by off-line analysis of the worst-case behaviour of the involved traffic agents, or by purely local proofs, involving only a single traffic agent. A companion paper will show how such local proof obligations can be discharged automatically.