Skip to main content
SpringerLink
Log in

Model-based construction and verification of critical systems using composition and partial refinement

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

This article introduces a new model-based method for incrementally constructing critical systems and illustrates its application to the development of fault-tolerant systems. The method relies on a special form of composition to combine software components and a set of proof rules to obtain high confidence of the correctness of the composed system. As in conventional component-based software development, two (or more) components are combined, but in contrast to many component-based approaches used in practice, which combine components consisting of code, our method combines components represented as state machine models. In the first phase of the method, a model is developed of the normal system behavior, and system properties are shown to hold in the model. In the second phase, a model of the required fault-handling behavior is developed and “or-composed” with the original system model to create a fault-tolerant extension which is, by construction, “fully faithful” (every execution possible in the normal system is possible in the fault-tolerant system). To model the fault-handling behavior, the set of states of the normal system model is extended through new state variables and new ranges for some existing state variables, and new fault-handling transitions are defined. Once constructed, the fault-tolerant extension is shown, using a set of property inheritance and compositional proof rules, to satisfy both the overall system properties, typically weakened, and selected fault-tolerance properties. These rules can often be used to verify the properties automatically. To provide a formal foundation for the method, formal notions of or-composition, partial refinement, fault-tolerant extension, and full faithfulness are introduced. To demonstrate and validate the method, we describe its application to a real-world, fault-tolerant avionics system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi M, Lamport L (1991) The existence of refinement mappings. Theor Comput Sci 82(2):253–284

    Article  MATH  MathSciNet  Google Scholar 

  2. Abadi M, Lamport L (1993) Composing specifications. ACM Trans Program Lang Syst 15(1):73–132

    Article  Google Scholar 

  3. Alpern B, Schneider FB (1985) Defining liveness. Inf Process Lett 21(4):181–185

    Article  MATH  MathSciNet  Google Scholar 

  4. Arora A, Attie PC, Emerson EA (1998) Synthesis of fault-tolerant concurrent programs. In: Proc PODC’98, pp 173–182

    Google Scholar 

  5. Arora A, Kulkarni SS (1998) Component based design of multitolerant systems. IEEE Trans Softw Eng 24(1):63–78

    Article  Google Scholar 

  6. Avizienis A, Laprie JC, Randell B (2000) Fundamental concepts of dependability. In: Proc information survivability workshop (ISW-2000), Boston

    Google Scholar 

  7. Banach R, Cross R (2004) Safety requirements and fault trees using retrenchment. In: Heisel M, Liggesmeyer P, Wittman S (eds) Proc SAFECOMP-04

    Google Scholar 

  8. Banach R, Poppleton M, Jeske C, Stepney S (2007) Engineering and theoretical underpinnings of retrenchment. Sci Comput Program 67:301–329

    Article  MATH  MathSciNet  Google Scholar 

  9. Bernardeschi C, Fantechi A, Simoncini L (2000) Formally verifying fault tolerant system designs. Comput J 43(3):191–205

    Article  MATH  Google Scholar 

  10. Bharadwaj R, Heitmeyer C (2000) Developing high assurance avionics systems with the SCR requirements method. In: Proc 19th digital avionics sys conf

    Google Scholar 

  11. Bharadwaj R, Sims S (2000) Salsa: combining constraint solvers with BDDs for automatic invariant checking. In: Proc tools and algorithms for the construction and analysis of systems (TACAS 2000), Berlin

    Google Scholar 

  12. Börger E, Stärk R (2003) Abstract state machines: a method for high-level system design and analysis. Springer, Berlin

    MATH  Google Scholar 

  13. Cau A, de Roever WP (1993) Using relative refinement for fault tolerance. In: Woodcock J, Larsen PG (eds) Formal methods Europe 1993 symp (FMS’93), Odense, Denmark. LNCS, vol 670. Springer, Berlin, pp 19–41

    Google Scholar 

  14. Clarke EM, Grumberg O, Peled DA (1999) Model checking. MIT Press, Cambridge

    Google Scholar 

  15. Dijkstra EW (1997) A discipline of programming. Prentice Hall PTR, Upper Saddle River

    Google Scholar 

  16. Ebnenasir A (2005) Automatic synthesis of fault-tolerance. Ph.D. thesis, Michigan State Univ., East Lansing, MI

  17. France R, Rumpe B (2007) Model-driven development of complex software: a research roadmap. In: 2007 future of software engineering (FOSE’07). IEEE Comput Soc, Los Alamitos

    Google Scholar 

  18. Garland SJ, Lynch N (2000) Using I/O automata for developing distributed systems. In: Leavens GT, Sitaraman M (eds) Foundations of component-based systems. Cambridge Univ Press, Cambridge, pp 285–312

    Google Scholar 

  19. Gärtner FC (1999) Transformational approaches to the specification and verification of fault-tolerant systems: formal background and classification. J Univ Comput Sci 5(10)

  20. Halbwachs N (1993) Synchronous programming of reactive systems. Kluwer Academic, Boston

    MATH  Google Scholar 

  21. Harel D (1987) StateCharts: a visual formalism for complex systems. Sci Comput Program 8(3):231–274

    Article  MATH  MathSciNet  Google Scholar 

  22. Heimdahl MPE, Leveson N (1996) Completeness and consistency in hierarchical state-based requirements. IEEE Trans Softw Eng 22(6):363–377

    Article  Google Scholar 

  23. Heitmeyer C, Archer M, Bharadwaj R, Jeffords R (2005) Tools for constructing requirements specifications: the SCR toolset at the age of ten. Comput Syst Sci Eng 20(1):19–35

    Google Scholar 

  24. Heitmeyer C, Bharadwaj R (2000) Applying the SCR requirements method to the light control case study. J Univers Comput 6(7):650–678

    Google Scholar 

  25. Heitmeyer CL, Archer MM, Leonard EI, McLean JD (2008) Applying formal methods to a certifiably secure software system. IEEE Trans Softw Eng 34(1):82–98

    Article  Google Scholar 

  26. Heitmeyer CL, Jeffords RD, Labaw BG (1996) Automated consistency checking of requirements specifications. ACM Trans Softw Eng Methodol 5(3):231–261

    Article  Google Scholar 

  27. Jeffords R, Heitmeyer C (1998) Automatic generation of state invariants from requirements specifications. In: Proc 6th ACM SIGSOFT symp on foundations of software eng

    Google Scholar 

  28. Jeffords RD, Heitmeyer CL (2003) A strategy for efficiently verifying requirements. In: ESEC/FSE-11: Proc 9th Euro softw eng conf/11th ACM SIGSOFT int symp on foundations of softw eng, pp 28–37

    Google Scholar 

  29. Jeffords RD, Heitmeyer CL, Archer M, Leonard EI (2009) A formal method for developing provably correct fault-tolerant systems using partial refinement and composition. In: Cavalcanti A, Dams D (eds) Proc FM2009: formal methods, 2nd world congress, Eindhoven, The Netherlands. LNCS, vol 5850. Springer, Berlin, pp 173–189

    Google Scholar 

  30. Katz S (2006) Aspect categories and classes of temporal properties. In: LNCS, vol 3880, pp 106–134

    Google Scholar 

  31. Kiczales G, Lamping J, Medhekar A, Maeda C, Lopes CV, Loingtier J.-M., Irwin J. (1997) Aspect-oriented programming. In: Object-oriented programming (ECOOP97). LNCS, vol 1241. Springer, Berlin

    Google Scholar 

  32. Kulkarni S (2010) Personal communication

  33. Kulkarni SS, Arora A (2000) Automating the addition of fault-tolerance. In: Joseph M (ed) FTRTFT’00. LNCS, vol 1926. Springer, Berlin, pp 83–93

    Google Scholar 

  34. Lamport L (1994) The temporal logic of actions. TOPLAS 16(3):872–923

    Article  Google Scholar 

  35. Liu Z, Joseph M (1992) Transformations of programs for fault-tolerance. Form Asp Comput 4(5):442–469

    Article  MATH  Google Scholar 

  36. Liu Z, Joseph M (1999) Specification and verification of fault-tolerance timing, and scheduling. ACM Trans Program Lang Syst 21(1):46–89

    Article  Google Scholar 

  37. Miller SP, Tribble A (2001) Extending the four-variable model to bridge the system-software gap. In: Proc 20th digital avionics sys conf

    Google Scholar 

  38. Parnas DL, Madey J (1995) Functional documentation for computer systems. Sci Comput Program 25(1):41–61

    Article  Google Scholar 

  39. Rothamel T, Heitmeyer C, Leonard E, Liu A (2006) Generating optimized code from SCR specifications. In: Proc ACM SIGPLAN/SIGBED conference on languages, compilers, and tools for embedded systems (LCTES), pp 135–144

    Chapter  Google Scholar 

  40. Shankar N, Owre S, Rushby JM, Stringer-Calvert DWJ (2001) PVS Prover Guide, Version 2.4. Tech. rep., Computer Science Lab, SRI International, Menlo Park, CA

  41. Szyperski C (2002) Component software: beyond object-oriented programming. Addison–Wesley Longman, Boston

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for High Assurance Computer Systems, Naval Research Laboratory, Washington, DC, 20375, USA

    Ralph D. Jeffords, Constance L. Heitmeyer, Myla M. Archer & Elizabeth I. Leonard

Authors
  1. Ralph D. Jeffords
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Constance L. Heitmeyer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Myla M. Archer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Elizabeth I. Leonard
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ralph D. Jeffords.

Additional information

This research is supported by the Office of Naval Research.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jeffords, R.D., Heitmeyer, C.L., Archer, M.M. et al. Model-based construction and verification of critical systems using composition and partial refinement. Form Methods Syst Des 37, 265–294 (2010). https://doi.org/10.1007/s10703-010-0106-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-010-0106-9

Keywords

Search

Navigation