Formal method

The use of formal models of security policies are required for high assurance security systems. One benefit of formal methods is that it allows for a precise presentation of items, allowing for analysis by others and subsequent discussion. In this paper we examine the presentation and use of the formal security policy developed in ACL2 as presented by Greve, Wilding and Vanfleet in 2003. We found that the ACL2 model and corresponding textual description left some points ambiguous. We clarify these points in this paper.

The future of Open Distributed Processing systems (ODP) will see an increasing of components number, these components are sharing resources. In general, these resources are offering some kind of services. Due to the huge number of components, it is very difficult to offer the optimum Quality of service (QoS). This encourages us to develop a model for QoS negotiation process to optimize the QoS in an ODP system. In such system, there is a High risk of software or hardware failure. To ensure good performance of a system based on our model, we develop it using a formal method. In our case, we will use Event-B to get in the end of our development a system correct by construction.

This invited paper presents a number of correlated specifications of example railway system problems. They use a variety of partially or fully integrated formal specification. The paper thus represents a mere repository of what we consider interesting case studies. The existence of the Unified Modeling Language [10, 67, 36, 20] has caused, for one reason or another, the research community to try formalise one or another facet of UML. In this paper we report on another way to achieve what UML attempts to achieve: Broadness of application, convenience of notation, and multiplicity of views. Whether these different UML views are unified, integrated, correlated or merely co-located is for others to dispute. We also seek to support multiple views, but are also in no doubt that there must be sound, well defined relations between such views. We thus report on ways and means of integrating formal techniques such as RAISE (RSL) [58, 59],

We report on a case study to assess the use of an advanced knowledge-based software design technique with programmers who have not participatedin the technique's development. We use the KIDS approach to algorithm design to construct two global search algorithms that route baggage through a transportation net. Construction of the second algorithm involves extending the KIDS knowledge base. Experience with the case study leads us to integrate the approach with the spiral and prototyping models of software engineering, and to discuss ways to deal with incomplete design knowledge.

The high cost and long development cycle of shop floor controls (SFC) have prevented many small, medium, and even large-size manufacturers from deploying plant-wide, real-time information systems. In order to stay competitive in a make-to-order business model, such systems are essential. In addressing the obstacles to such systems, this article proposes a formal method that ensures that a built SFC can be applicable to a plant-wide, real-time information system. By taking advantage of both the linear growth of the complexity function in a structured adaptive supervisory control model, and the real-time responses of a virtual production line based e-Manufacturing system, a formal method for creating an integration-ready structured adaptive supervisory control model (iSASC) for a discrete manufacturing system is introduced. An iSASCbased SFC prototype system was successfully tested and evaluated in an industrial site.

Many tools have been constructed using different formal methods to process various parts of a language specification (e.g. scanner generators, parser generators and compiler generators). The automatic generation of a complete compiler was the primary goal of such systems, but researchers recognised the possibility that many other language-based tools could be generated from formal language specifications. Such tools can be generated automatically whenever they can be described by a generic fixed part that traverses the appropriate data structures generated by a specific variable part, which can be systematically derivable from the language specifications. The paper identifies generic and specific parts for various language-based tools. Several language-based tools are presented in the paper, which are automatically generated using an attribute grammar-based compiler generator called LISA. The generated tools that are described in the paper include editors, inspectors, debuggers and visualisers/animators. Because of their complexity of construction, special emphasis is given to visualisers/animators, and the unique contribution of our approach toward generating such tools.

Considering that current end to end communication services are not adapted for supporting efficiently distributed multimedia application, this paper introduces a new family of generic transport protocols directly instantiated from application layer quality of service requirements. This Generic Transport Protocol (GTP) has been successfully tested for video on demand systems and is one of the major building block of the currently under development GCAP European project. GTP allows one to apply in the transport layer powerful adaptation mechanisms to the network behavior while preserving application requirements and alleviating network bandwidth and buffering needs

Binary component-based software updates that are efficient, safe and generic still remain a challenge. Most existing deployment systems that achieve this goal have to control the complete software environment of the user which is a barrier to adoption for both software consumers and producers. Binary change set composition is a technique that can be applied to deliver incremental, binary updates for component-based software systems in an efficient and non-intrusive way. This way application updates can be delivered more frequently, with minimal additional overhead for users and without sacrificing the benefits of component-based software development.

The Raise Specification Language (RSL) is a modeling language which supports various specification styles. To apply model checking to RSL concurrent descriptions, we translate RSL specifications into the input language CSPM of FDR. FDR is the model checker for the process algebra CSP. First, we define a syntactic and semantic translation from the concurrent applicative subset of RSL to CSPM, and show that this translation is a strong bisimulation which preserves properties such as traces and deadlock. Consequently, results obtained by refinement checks in FDR are sound for the original RSL descriptions. Second, RSL uses Linear Temporal Logic (LTL) to specify desired properties, but FDR does not support LTL. LTL formulas may be translated to CSP test processes in order to check them with FDR. We build a tool which automates the translation of RSL specifications into CSPM and translates LTL formulas to CSP processes, enabling the model checking of LTL formulas over RSL descriptions with FDR.

In this work, we present a method for approximating constrained maximum entropy (ME) reconstructions of SPECT data with modifications to a block-iterative maximum a posteriori (MAP) algorithm. Maximum likelihood (ML)-based reconstruction algorithms require some form of noise smoothing. Constrained ME provides a more formal method of noise smoothing without requiring the user to select parameters. In the context of SPECT, constrained ME seeks the minimum-information image estimate among those whose projections are a given distance from the noisy measured data, with that distance determined by the magnitude of the Poisson noise. Images that meet the distance criterion are referred to as feasible images. We find that modeling of all principal degrading factors (attenuation, detector response, and scatter) in the reconstruction is critical because feasibility is not meaningful unless the projection model is as accurate as possible. Because the constrained ME solution is the same as a MAP solution for a particular value of the MAP weighting parameter, beta, the constrained ME solution can be found with a MAP algorithm if the correct value of beta is found. We show that the RBI-MAP algorithm, if used with a dynamic scheme for estimating beta, can approximate constrained ME solutions in 20 or fewer iterations. We compare results for various methods of achieving feasible images on a simulation of Tl-201 cardiac SPECT data. Results show that the RBI-MAP ME approximation provides images and quantitative estimates close to those from a slower algorithm that gives the true ME solution. Also, we find that the ME results have higher spatial resolution and greater high-frequency noise content than a feasibility-based stopping rule, feasibility-based low-pass filtering, and a quadratic Gibbs prior with beta selected according to the feasibility criterion. We conclude that fast ME approximation is possible using either RBI-MAP with the dynamic procedure or a feasibility-based stopping rule, and that such reconstructions may be particularly useful in applications where resolution is critical.

Mathematical induction is required for reasoning about objects or events containing repetition, e.g. computer programs with recursion or iteration, electronic circuits with feedback loops or parameterized components. Thus mathematical induction is a key enabling technology for the use of formal methods in information technology. Failure to automate inductive reasoning is one of the major obstacles to the widespread use of formal methods in industrial hardware and software development. Recent developments in automatic theorem proving promise significant improvements in our ability to automate mathematical induction. As a result of these developments, the functionality of inductive theorem provers has begun to improve. Moreover, there are some promising signs that even more significant improvements are possible. This enlarges the applicability of automated induction for "real world" problems and research topics for application have been discussed on the seminar. Automated induction is a relatively small subfield of automated reasoning. Research is based on two competing paradigms each having its merits but also its shortcomings as compared with the other: • Implicit induction evolved from Knuth-Bendix-Completion and most of the work based on this paradigm was performed by researchers concerned with term rewriting systems in general. • Explicit induction has its roots in traditional automated theorem proving. It resembles the more familiar idea of theorem proving by induction where induction axioms are explicitly given and specific inference techniques are tailored for proving base and step formulas. This seminar brought together leading scientists from both areas to discuss recent advancements within both paradigms, to evaluate and compare the state of the art and to work for a synthesis of both approaches. It summarized the results of a series of workshops held on automated induction in conjunction with the CADE conferences 1992 (Saratoga Springs) and 1994 (Nancy) and the AAAI conference 1993 (Washington DC). The success of this meeting was due in no small part to the Dagstuhl Seminar Center and its staff for creating such a friendly and productive environment. The organizers and participants greatly appreciate their effort. The organizers also thank Jürgen Giesl and Martin Protzen for their support in many organizational details.

We introduce a logical verification methodology for checking behavioral properties of service-oriented computing systems. Service properties are described by means of SocL, a branching-time temporal logic that we have specifically designed for expressing in an effective way distinctive aspects of services, such as, acceptance of a request, provision of a response, correlation among service requests and responses, etc. Our approach allows service properties to be expressed in such a way that they can be independent of service domains and specifications. We show an instantiation of our general methodology that uses the formal language COWS to conveniently specify services and the expressly developed software tool CMC to assist the user in the task of verifying SocL formulas over service specifications. We demonstrate the feasibility and effectiveness of our methodology by means of the specification and analysis of a case study in the automotive domain.

The complex requirements of software systems justify the use of the best existing techniques to guar- antee the quality of speciflcations and to preserve this quality during the programming,phase of a software life-cycle. On the one hand, visual speciflcation lan- guages (such as UML) have been widely used for spec- ifying, visualizing, understanding and documenting software systems, but they

In this paper we introduce a model as a foundation for het-erogeneous services, therefore unifying web services tech-nologies in SOA (Service Oriented Architecture), specif-ically, SOAP/WS * and RESTful models. This model ab-stracts away from service implementations, in order to verify and to enforce some important security properties.

ISO/IEC JTC1/SC24 are developing a standard for the presentation of multimedia objects, called Premo (Presentation Environments for Multimedia Objects). Premo is a multipart standard, the most well-de ned parts of which, at the time of writing, are at the stage of Committee Draft.

Hybrid systems are at the core of most embedded and many other kinds of systems; formal methods for analysis of hybrid systems have made remarkable progress in the last decade and thus provide a strong foundation for assurance in the system core.

Medical guidelines and protocols are documents aimed at improving the quality of medical care by offering support in medical decision making in the form of management recommendations based on scientific evidence. Whereas medical guidelines are intended for nation-wide use, and thus omit medical management details that may differ among hospitals, medical protocols are aimed at local use within hospitals and, therefore, include detailed information. Although a medical guideline and protocol concerning the management of a particular disorder are related to each other, one question is to what extent they are different. Formal methods are applied to shed light on this issue. A Dutch medical guideline regarding the treatment of breast cancer, and a Dutch protocol based on it, are taken as an example.

Abstract. In the last three years or so we at Enterprise Platforms Group at Intel Corporation have been applying formal methods to various problems that arose during the process of defining platform architectures for Intel’s processor families. In this paper we give an overview of some of the problems we have worked on, the results we have obtained, and the lessons we have learned. The last topic is addressed mainly from the perspective of platform architects. 1. Problems and Results Modern computer systems are highly complex distributed systems with many interacting components. Architecturally they are often organized like a computer network into multiple layers: physical layer, link layer, protocol layer, etc. Most of the problems to which we applied formal methods are the formal verification (FV) of intricate protocols in the protocol and link layers. In addition, we also found several novel uses of binary decision diagrams (BDDs) [3] that are worth mentioning. 1.1. Directory-bas...

Safety critical software requires integrating verification techniques in software development methods. Software architectures must guarantee that developed systems will meet safety requirements and safety analyses are frequently used in the assessment. Safety engineers and software architects must reach a common understanding on an optimal architecture from both perspectives. Currently both groups of engineers apply different modelling techniques and languages: safety analysis models and software modelling languages. The solutions proposed seek to integrate both domains coupling the languages of each domain. It constitutes a sound example of the use of language engineering to improve efficiency in a software-related domain. A model-driven development approach and the use of a platform-independent language are used to bridge the gap between safety analyses (failure mode effects and criticality analysis and fault tree analysis) and software development languages (e.g. unified modelling language). Language abstract syntaxes (metamodels), profiles, language mappings (model transformations) and language refinements, support the direct application of safety analysis to software architectures for the verification of safety requirements. Model consistency and the possibility of automation are found among the benefits.

Formal methods and testing are two important approaches that assist in the development of high-quality software. While traditionally these approaches have been seen as rivals, in recent years a new consensus has developed in which they are seen as complementary. This article reviews the state of the art regarding ways in which the presence of a formal specification can be used to assist testing.

Incomplete, inaccurate, ambiguous, and volatile requirements have plagued the software industry since its inception. The convergence of model-based develop- ment and formal methods ofiers developers of safety- critical systems a powerful new approach for the early validation of requirements. This paper describes a case study conducted to determine if formal methods could be used to validate system requirements early in the lifecycle at reasonable cost. Several hundred functional and safety requirements for the mode logic of a typical Flight Guidance System were captured as natural lan- guage \shall" statements. A formal model of the mode logic was written in the RSML¡e language and trans- lated into the NuSMV model checker and the PVS the- orem prover using translators developed as part of the project. Each \shall" statement was manually translated into a NuSMV or PVS property and proven using these tools. Numerous errors were found in both the origi- nal requirements and ...

This paper, describes the design and development of a Supervisory Control System (SCS) for an Electric Vehicle (EV) developed by The Applied Electronics Group. The SCS was implemented on a Panel PC, and the Controller Area Network protocol was used as the communication interface with the Traction Controller. This scheme allows implementing the complete control of the EV as two-level architecture, where the SCS works as a high-level controller coordinating the low-level subsystems (traction, batteries, etc.). I.

This report describes a formal approach to verification and validation of safety requirements for embedded software, by application to a simple control-logic case study. The logic is formally specified in Z. System safety properties are formalised by defining an abstract model of the system’s physical behaviour in Z, including its hazardous states and dominant sensor failures. The Possum specification-animation tool is then used to check that the logic meets its safety requirements. Finally, the logic is implemented in SPARK Ada and SPARK Examiner is used to formally verify the implementation meets its specification. Design safety validation and source code verification are completely automated, removing the need for

Formal methods are being applied to the development of software of various applications at Philips Healthcare. In particular, the Analytical Software Design (ASD) method is being used as a formal technology for developing defect-free control software of highly sophisticated X-ray machines. In this paper we analyze the effects of applying ASD in the development of various control software units. We compare the quality of these units with other units developed in traditional development methods. The results indicate that applying ASD as a formal technology for developing control software results in better quality code.

In the elucidation of complex multistep reactions, it is easy to overlook significant mechanistic hypotheses. Hence, the use of computer programs to search for mechanisms is attractive, but these programs must respect the prior knowledge held by the investigator. Virtually all knowledge-based programs accommodate prior knowledge of either what can or what cannot happen, but there are advantages in exploiting both types of knowledge simultaneously. We report a novel alliance of two programs that enables these advantages and which represents an advance in the capabilities of computational chemistry, as illustrated here on the complex synthesis of acrylic acid from acetylene, CO, and water catalyzed by palladium complexes. The pathways reported by the programs were categorized as hydride, hydroxycarbonyl (alcoholate-like), and metallocyclic, the mechanistic types that are known from publications on hydrocarboxylation and hydrocarbalkoxylation of unsaturated molecules in solutions of transition metal complexes. Many specific pathways were not considered before in the absence of comprehensive computerized searches.

This paper focuses on verification and validation of a model dedicated to mode handling of flexible manufacturing systems (FMSs). This model is specified using the synchronous formalism safe state machines (SSMs). The rigorous semantics that characterize such formalism enable to provide formal verification mechanisms ensuring determinism and dependability. A structured framework for verification and validation of the model dedicated to mode handling is proposed. The main properties being verified within this framework and the corresponding verification methods are presented. The approach is illustrated using an example of a manufacturing production cell. The formal analysis tools integrated into the development environment Esterel Studio are used within the design process. ß

Formal methods have yet to achieve wide industrial acceptance for several reasons. They are not well integrated into established industrial software processes, their application requires significant abstraction and mathematical skills, and existing tools do not satisfactorily support the entire formal software development process. We have proposed a language called SOFL (Structured-Object-based-formal Language) and a SOFL methodology for system development that attempts to address these problems using an ...

Programmable logic devices (PLDs) are now common components of critical systems, and are increasingly used for safety-related or safety-critical functionality. Since 1999 avionics-and defence-related safety standards have advised and prescribed various approaches for PLD programming in safety-related systems. There are many differences between current and recommended practice, and safety engineers differ on how to apply the existing standards. This paper describes past and current practice in programming PLDs in critical systems. It summarises the relevant safety and security standards and anticipates forthcoming changes to UK standards. It describes the work that the authors and others have done in the field of specifying, designing and proving correct PLD programs and maps out avenues of work that the authors believe necessary for PLD programming technology to keep pace with PLD functionality.

We report on a fruitful combination of applying academic experience with formal modelling and verification techniques to an industrial case study. The goal of the case study was to investigate a priori, i.e. before implementation, the effects of adding a lightweight and easy-to-use publish/subscribe (event) notification service to thinkteam r ○ —an asynchronous and dispersed groupware system which was developed by think3. Researchers from the Formal Methods and Tools (FM&T) group of ISTI–CNR—with a longstanding experience in research on the development and application of formal methods, notations, and software tools for the specification, design, and verification of complex computer systems— therefore teamed up with think3—a global provider of integrated product development solutions that provides mechanical design and Product Data Management (PDM) software catering the product management needs of design processes in the manufacturing industry. The technical details of this joint re...

We summarize some current trends in embedded systems design and point out some of their characteristics, such as the chasm between analytical and computational models, and the gap between safety-critical and best-effort engineering practices. We call for a coherent scientific foundation for embedded systems design, and we discuss a few key demands on such a foundation: the need for encompassing several manifestations of heterogeneity, and the need for constructivity in design. We believe that the development of a satisfactory Embedded Systems Design Science provides a timely challenge and opportunity for reinvigorating computer science.

This paper presents our contribution to the specification and conception of interactive systems. In this framework, the TOOD+ method (Task Oriented Object Design) proposed in this paper relies on a generic model and based for its description on the language of object modelization UML (Unified Modeling Language). The model-based approach and the used formalism have been chosen, to make a code multiple (C++, JAVA …) and multi platform (Palm, mobile telephone …).Our work is part and parcel of many others which are based on the principle of code generation from the specifications. Among some models, this generation corresponds to apply the MDE approach (Model Driven Engineering. This approach is presented on an example of interactive application (the air traffic control)

Object orientation and formal methods are widely regarded as two fields with significant potential for new software engineering techniques. This paper discusses the relations between these two approaches. We present various specification techniques which incorporate object-oriented paradigms, discuss their place in software development process, and analyse possible benefits from their applications.

A detailed generic model of the control design process is introduced and discussed. It is used for surveying different formal approaches in the context of PLC programming. The survey focuses on formal methods for verification and validation (V&V). The varying works in this area are categorized using three criteria: the general approach (A) to the task (model based, constraint based or without a model), the formalism (F) (Petri net, automata, etc.,) used to state the formal description, and the method (M) (model-checking, reachability analysis, etc.,) used to analyze the properties. Based on these three criteria (A-F-M) a three letter code for V&V approaches is introduced. Some works from the multitude of V&V research are presented and categorized using this new system

Risk is defined as an event that has a probability of occurring, and could have either a positive or negative impact to a project should that risk occur. A risk may have one or more causes and, if it occurs, one or more impacts. For example, a cause may be requiring an environmental permit to do work, or having limited personnel assigned to design the project. The risk event is that the permitting agency may take longer than planned to issue a permit, or the assigned personnel available and assigned may not be adequate for the activity. If either of these uncertain events occurs, there may be an impact on the project cost, schedule or performance. Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. But we must learn to balance the possible negative consequences of risk against the potential benefits of its associated opportunity. (Van Scoy, 1992) A risk is a potential future harm that may arise from some present action; such as, a schedule slip or a cost overrun. The loss is often considered in terms of direct financial loss, but also can be a loss in terms of credibility, future business, and loss of property or life. (Wikipedia, 2004) As part of introducing risk management, two other important items need to be addressed; first are the mitigation steps that can be taken to lessen the probability of the event occurring, second is the contingency plan, or a series of activities that should take place either prior to, or when the event occurs. Mitigation actions frequently have a cost. Sometimes the cost of mitigating the risk can exceed the cost of assuming the risk and incurring the consequences. It is important to evaluate the probability and impact of each risk against the mitigation strategy cost before deciding to implement a contingency plan. Contingency plans implemented prior to the risk occurring are pre-emptive actions intended to reduce the impact or remove the risk in its entirety. Contingency plans implemented after a risk occurs can usually only lessen the impact. Risk management is a broad factor affecting quite a number of business sectors however it's also a factor which must be addressed by every human being on earth regarding their way of

The NASA Monographs in Systems and Software Engineering series addresses cutting-edge and groundbreaking research in the fields of systems and software engineering. This includes in-depth descriptions of technologies currently being applied, as well as research areas of likely applicability to future NASA missions. Emphasis is placed on relevance to NASA missions and projects.

Purpose -The purpose of this paper is to report the findings of research into the principles and procedures associated with value management (VM) and assess its use and effectiveness within the construction industry in Northern Ireland. It provides a brief review of the principles, various procedures and methods associated with VM, investigates the positive and negative factors relating to its use whilst analysing the extent of its usage and determining its effectiveness. Design/methodology/approach -Using a mixed method approach, the authors present the results of a survey of construction professionals operating in Northern Ireland and provide an examination of three case studies exploring the use of VM within the Northern Ireland construction industry. Findings -In an industry where the client's needs and demands are of paramount importance, VM has emerged as a tool which can help satisfy these needs. This study shows that VM is frequently used within the Northern Ireland construction industry and on the whole is quite effective. However, the research exposed a general consensus that the VM process is frequently not implemented at the most appropriate stage of a project, which suggests that if it was, it could perhaps be more effective than it is at present. There is an apparent lack of formal methods used to carry out the VM process. Instead, rather loose and informal methods are used. Originality/value -In the absence of a similar study that analyses the factors that influence the VM process highlighting and documenting the views and opinions expressed by the professionals within today's industry and reviewing the effectiveness of its usage, this paper documents a snapshot of practice of VM within the Northern Ireland construction industry.

publishes this series in order to make available to a broad public recent findings in informatics (i.e. computer science and information systems), to document conferences that are organized in cooperation with GI and to publish the annual GI Award dissertation.

There are several notations to build a model: textual, graphical and mathematical. There are several notations to build a model: textual, graphical and by using mathematics. The Object Management Group (OMG) has developed a graphical notation to model systems called SysML (system modeling language); this notation includes the modeling of the system requirements. In this paper a precise model of the requirements diagrams of SysML is presented. This model is made using a modeling language called Alloy, which has been used to formally specify UML diagrams.