Development graphs—Proof management for structured specifications

Development graphs are a tool for dealing with structured specifications in a formal program development in order to ease the management of change and reusing proofs. In this work, we extend development graphs with hiding (e.g. hidden operations). Hiding is a particularly difficult to realize operation, since it does not admit such a good decomposition of the involved specifications as other structuring operations do. We develop both a semantics and proof rules for development graphs with hiding. The rules are proven to be sound, and also complete relative to an oracle for conservative extensions. We also show that an absolutely complete set of rules cannot exist.The whole framework is developed in a way independent of the underlying logical system (and thus also does not prescribe the nature of the parts of a specification that may be hidden). We also show how various other logic independent specification formalisms can be mapped into development graphs; thus, development graphs can serve as a kernel formalism for management of proofs and of change.     

On the existence of translations of structured specifications

We provide a set of sufficient conditions for the existence of translations of structured specifications across specification formalisms. The most basic condition is the existence of a translation between the logical systems underlying the specification formalisms, which corresponds to the unstructured situation. Our approach is based upon institution theory and especially upon a recent abstract approach to structured specifications in which both the underlying logics and the structuring systems are treated fully abstractly. Hence our result is applicable to a wide range of actual specification formalisms that may employ different logics as well as different structuring systems, and is very relevant within the context of the fastly developing heterogeneous specification paradigm.     

The HybridUML profile for UML 2.0

In this article, a new UML extension for the specification of hybrid systems, where observables may consist of both discrete and time-continuous parameters, is presented. Whereas hybrid modeling constructs are not available in standard UML, several specification formalisms for this type of system have been elaborated and discussed, among them the CHARON language of Alur et al. which possesses already several attractive features for modeling embedded real-time systems with hybrid characteristics. Adopting this as a basis, the profile inherits formal semantics based on CHARON, so it offers the possibility for formal reasoning about hybrid UML specifications. Conversely, the CHARON framework is associated with a new syntactic representation within the UML 2.0 world, allowing to develop hybrid specifications with arbitrary CASE tools supporting UML 2.0 and its profiling mechanism. The “look-and-feel” of the profile is illustrated by means of a case study of an embedded system controlling the cabin illumination in an aircraft. The benefits and weaknesses of the constructed hybrid UML profile are discussed, resulting in feed-back for the improvement of both UML 2.0 and the CHARON formalism. The work presented in this article has been investigated by the authors in the context of the HYBRIS (Efficient Specification of Hybrid Systems) project supported by the Deutsche Forschungsgemeinschaft DFG as part of the priority programme on Software Specification - Integration of Software Specification Techniques for Applications in Engineering.     

Syntax and semantics of the compositional interchange format for hybrid systems

Different modeling formalisms for timed and hybrid systems exist, each of which addresses a specific set of problems, and has its own set of features. These formalisms and tools can be used in each stage of the embedded systems development, to verify and validate various requirements.The Compositional Interchange Format (CIF), is a formalism based on hybrid automata, which are composed using process algebraic operators. CIF aims to establish interoperability among a wide range of formalisms and tools by means of model transformations and co-simulation, which avoids the need for implementing many bilateral translators.This work presents the syntax and formal semantics of CIF. The semantics is shown to be compositional, and proven to preserve certain algebraic properties, which express our intuition about the behavior of the language operators. In addition we show how CIF operators can be combined to implement widely used constructs present in other timed and hybrid formalisms, and we illustrate the applicability of the formalism by developing several examples.Based on the formal specification of CIF, an Eclipse based simulation environment has been developed. We expect this work to serve as the basis for the formal definition of semantic preserving transformations between various languages for the specification of timed and hybrid systems.     

User interface specification with sequence diagrams: an application to the AIRBUS A380 Datalink system

The development of user interfaces for safety critical systems is driven by requirements specifications. Because user interface specifications are typically embedded within complex systems requirements specifications, they can be intractable to manage. Proprietary requirements specification tools do not support the user interface designer in modelling and specifying the user interface. In this paper, a new way of working with embedded user interface specifications is proposed, exploiting sequence diagrams with a hypertext structure for representing and retrieving use cases. This new tool concept is assessed through an application to the requirements specification for the Airbus A380 air traffic control Datalink system; engineers involved in the development of the Airbus cockpit used a prototype of the tool concept to resolve a set of user interface design anomalies in the requirements specification. The results of the study are positive and indicate the user interface to requirements specification tools which user interface designers themselves need.     

Verifying task-based specifications in conceptual graphs

A conceptual model is a model of real world concepts and application domains as perceived by users and developers. It helps developers investigate and represent the semantics of the problem domain, as well as communicate among themselves and with users. In this paper, we propose the use of task-based specifications in conceptual graphs (TBCG) to construct and verify a conceptual model. Task-based specification methodology is used to serve as the mechanism to structure the knowledge captured in the conceptual model; whereas conceptual graphs are adopted as the formalism to express task-based specifications and to provide a reasoning capability for the purpose of verification. Verifying a conceptual model is performed on model specifications of a task through constraints satisfaction and relaxation techniques, and on process specifications of the task based on operators and rules of inference inherited in conceptual graphs.     

混合仿真语言规范中的高级本体论

混合仿真语言规范不仅要能够定义语言的语法,还要能够定义设计概念的语义规则。本体论能够为描述将语法和语义相结合的语言规范奠定基础。本文基于对混合系统的分析,提出了混合系统高级本体论HyHO,它包括在混合建模和仿真的不同领域都能通用的最基本的规范,主要包括时间、事件、状态等概念及其属性分析。通过HyHO能够研究混合系统的本质属性,确定先进仿真中混合系统的计算模型,以及模型的通用形式化方法,为混合仿真语言规范设计奠定了基础。     

An approach to the formal specification of computer graphics systems

This paper discusses the approach to formal specification of computer graphics systems developed by the ANSI X3H3 committee (Computer Graphics Programming Languages) in the United States. ANSI's specification philosophy aims to gradually replace existing informal English language specifications with more formal ones without sacrificing the readibility and usefulness of standards documents. The specification techniques used are derived from those presently employed in the specification of computer communication protocols and the specification of software systems, not those used for the specification of programming languages. The specifications consist of three parts: the interface between both graphics and the host language and graphics and the graphical display device, the structure of the graphics system, and the functions that are performed by the graphics system. The specifications are based on abstract data types. These data types, together with the operations which can be performed on them, are used to describe the structure and functions of the graphics system. Using these techniques, X3H3 has developed a complete formal specification for a minimal graphics system. Extracts from this specification are included here.     

Towards the formal specification of an OPS5 production system architecture

The article presents a formal specification for many important aspects of the OPS5 production systems framework. the article illustrates how an abstract formal specification of a production system can be created and the benefits this provides to those involved in the development of knowledge-based systems. the formal specification is preceded by an informal specification of a production system upon which the formal model is based and the development is illustrated through the use of concrete examples. the notation used is that of “Z” (J. M. Spivey, The Z Notation, Prentice-Hall, Englewood Cliffs, NJ, 1990), a language based upon typed set theory. This language has been used to success in the specification of critical conventional software systems (I. Hayes, Technical Monograph PRG-46, Oxford University Computing Laboratory, Oxford, England, 1985) and which is formal enough to allow for the creation of rigorous specifications, yet is of a form that makes these specifications “readable.” the aim of the article is to show that formal techniques can be applied to areas of knowledge-based system development, thus promoting correctness, reliability, and understanding. © 1994 John Wiley & Sons, Inc.     

Formal Verification of a Distributed Computer System

Modeling distributed computer systems is known to be a challenging enterprise. Typically, distributed systems are comprised of large numbers of components whose coordination may require complex interactions. Modeling such systems more often than not leads to the nominal intractability of the resulting state space. Various formal methods have been proposed to address the modeling of coordination among distributed systems components. For the most part, however, these methods do not support formal verification mechanisms. By way of contrast, the L-automata/L-processes model supports formal verification mechanisms which in many examples can successfully circumvent state space explosion problems, and allow verification proofs to be extended to an arbitrary number of components. After reviewing L-automata/L-processes formalisms, we present here the formal specification of a fault-tolerant algorithm for a distributed computer system. We also expose the L-automata/L-processes verification of the distributed system, demonstrating how various techniques such as homomorphic reduction, induction, and linearization, can be used to overcome various problems which surface as one models large, complex systems.     

Editorial

In June 1999, the first International Workshop on Integrated Formal Methods was held at York University in the UK. The primary aim of the workshop was the combination of behavioural and state-based formalisms to yield practical solutions to industrial problems. The workshop proceedings were edited by Keijiro Araki, Andy Galloway and Kenji Taguchi and are available as “IFM99” (ISBN 1-85233-107-0, published by Springer). After the workshop, selected authors were invited to develop journal versions of their papers, incorporating further extensions, corrections and revisions. This was arranged by Andy Galloway who then passed the papers to the journal for refereeing. And here we must record our sincere thanks to Andy. Without his efforts this issue of the journal would simply not have been possible. Following reports from referees and senior colleagues from the editorial board (and the withdrawal of one submission for publication in a book) five papers were accepted for publication here. We hope that those rejected will be further revised and resubmitted; they contained good work but required further development. The common theme is, predictably, the marrying of component specification with control of the interconnecting system, and the first 4 papers all present variations on the theme of Z + CSP. Sühl adds an additional structuring mechanism to Z and CSP and targets his application area as real-time embedded systems, whereas Derrick and Boiten use Object-Z to give partial specifications (viewpoints) which are then combined using CSP. Smith and Hayes describe Real-time Object-Z, which results from the integration of Object-Z with timed traces, and Mahony and Dong investigate the necessary formal underpinning required to combine Timed CSP and Object-Z by means of a trace model. The final paper, by Gro?e-Rhode, introduces and illustrates a mechanism for checking the compatibility of different partial specifications and for coping with composite specifications in which different formalisms have been used. Whether or not this area of formal methods research merely allows us to integrate different, more ‘appropriate’, specification languages or gives rise to new hybrid languages remains to be seen. What is certain is that there are still many problems to be tackled and technology to be transferred.