Abstract
This article introduces a new model-based method for incrementally constructing critical systems and illustrates its application to the development of fault-tolerant systems. The method relies on a special form of composition to combine software components and a set of proof rules to obtain high confidence of the correctness of the composed system. As in conventional component-based software development, two (or more) components are combined, but in contrast to many component-based approaches used in practice, which combine components consisting of code, our method combines components represented as state machine models. In the first phase of the method, a model is developed of the normal system behavior, and system properties are shown to hold in the model. In the second phase, a model of the required fault-handling behavior is developed and “or-composed” with the original system model to create a fault-tolerant extension which is, by construction, “fully faithful” (every execution possible in the normal system is possible in the fault-tolerant system). To model the fault-handling behavior, the set of states of the normal system model is extended through new state variables and new ranges for some existing state variables, and new fault-handling transitions are defined. Once constructed, the fault-tolerant extension is shown, using a set of property inheritance and compositional proof rules, to satisfy both the overall system properties, typically weakened, and selected fault-tolerance properties. These rules can often be used to verify the properties automatically. To provide a formal foundation for the method, formal notions of or-composition, partial refinement, fault-tolerant extension, and full faithfulness are introduced. To demonstrate and validate the method, we describe its application to a real-world, fault-tolerant avionics system.
Similar content being viewed by others
References
Abadi M, Lamport L (1991) The existence of refinement mappings. Theor Comput Sci 82(2):253–284
Abadi M, Lamport L (1993) Composing specifications. ACM Trans Program Lang Syst 15(1):73–132
Alpern B, Schneider FB (1985) Defining liveness. Inf Process Lett 21(4):181–185
Arora A, Attie PC, Emerson EA (1998) Synthesis of fault-tolerant concurrent programs. In: Proc PODC’98, pp 173–182
Arora A, Kulkarni SS (1998) Component based design of multitolerant systems. IEEE Trans Softw Eng 24(1):63–78
Avizienis A, Laprie JC, Randell B (2000) Fundamental concepts of dependability. In: Proc information survivability workshop (ISW-2000), Boston
Banach R, Cross R (2004) Safety requirements and fault trees using retrenchment. In: Heisel M, Liggesmeyer P, Wittman S (eds) Proc SAFECOMP-04
Banach R, Poppleton M, Jeske C, Stepney S (2007) Engineering and theoretical underpinnings of retrenchment. Sci Comput Program 67:301–329
Bernardeschi C, Fantechi A, Simoncini L (2000) Formally verifying fault tolerant system designs. Comput J 43(3):191–205
Bharadwaj R, Heitmeyer C (2000) Developing high assurance avionics systems with the SCR requirements method. In: Proc 19th digital avionics sys conf
Bharadwaj R, Sims S (2000) Salsa: combining constraint solvers with BDDs for automatic invariant checking. In: Proc tools and algorithms for the construction and analysis of systems (TACAS 2000), Berlin
Börger E, Stärk R (2003) Abstract state machines: a method for high-level system design and analysis. Springer, Berlin
Cau A, de Roever WP (1993) Using relative refinement for fault tolerance. In: Woodcock J, Larsen PG (eds) Formal methods Europe 1993 symp (FMS’93), Odense, Denmark. LNCS, vol 670. Springer, Berlin, pp 19–41
Clarke EM, Grumberg O, Peled DA (1999) Model checking. MIT Press, Cambridge
Dijkstra EW (1997) A discipline of programming. Prentice Hall PTR, Upper Saddle River
Ebnenasir A (2005) Automatic synthesis of fault-tolerance. Ph.D. thesis, Michigan State Univ., East Lansing, MI
France R, Rumpe B (2007) Model-driven development of complex software: a research roadmap. In: 2007 future of software engineering (FOSE’07). IEEE Comput Soc, Los Alamitos
Garland SJ, Lynch N (2000) Using I/O automata for developing distributed systems. In: Leavens GT, Sitaraman M (eds) Foundations of component-based systems. Cambridge Univ Press, Cambridge, pp 285–312
Gärtner FC (1999) Transformational approaches to the specification and verification of fault-tolerant systems: formal background and classification. J Univ Comput Sci 5(10)
Halbwachs N (1993) Synchronous programming of reactive systems. Kluwer Academic, Boston
Harel D (1987) StateCharts: a visual formalism for complex systems. Sci Comput Program 8(3):231–274
Heimdahl MPE, Leveson N (1996) Completeness and consistency in hierarchical state-based requirements. IEEE Trans Softw Eng 22(6):363–377
Heitmeyer C, Archer M, Bharadwaj R, Jeffords R (2005) Tools for constructing requirements specifications: the SCR toolset at the age of ten. Comput Syst Sci Eng 20(1):19–35
Heitmeyer C, Bharadwaj R (2000) Applying the SCR requirements method to the light control case study. J Univers Comput 6(7):650–678
Heitmeyer CL, Archer MM, Leonard EI, McLean JD (2008) Applying formal methods to a certifiably secure software system. IEEE Trans Softw Eng 34(1):82–98
Heitmeyer CL, Jeffords RD, Labaw BG (1996) Automated consistency checking of requirements specifications. ACM Trans Softw Eng Methodol 5(3):231–261
Jeffords R, Heitmeyer C (1998) Automatic generation of state invariants from requirements specifications. In: Proc 6th ACM SIGSOFT symp on foundations of software eng
Jeffords RD, Heitmeyer CL (2003) A strategy for efficiently verifying requirements. In: ESEC/FSE-11: Proc 9th Euro softw eng conf/11th ACM SIGSOFT int symp on foundations of softw eng, pp 28–37
Jeffords RD, Heitmeyer CL, Archer M, Leonard EI (2009) A formal method for developing provably correct fault-tolerant systems using partial refinement and composition. In: Cavalcanti A, Dams D (eds) Proc FM2009: formal methods, 2nd world congress, Eindhoven, The Netherlands. LNCS, vol 5850. Springer, Berlin, pp 173–189
Katz S (2006) Aspect categories and classes of temporal properties. In: LNCS, vol 3880, pp 106–134
Kiczales G, Lamping J, Medhekar A, Maeda C, Lopes CV, Loingtier J.-M., Irwin J. (1997) Aspect-oriented programming. In: Object-oriented programming (ECOOP97). LNCS, vol 1241. Springer, Berlin
Kulkarni S (2010) Personal communication
Kulkarni SS, Arora A (2000) Automating the addition of fault-tolerance. In: Joseph M (ed) FTRTFT’00. LNCS, vol 1926. Springer, Berlin, pp 83–93
Lamport L (1994) The temporal logic of actions. TOPLAS 16(3):872–923
Liu Z, Joseph M (1992) Transformations of programs for fault-tolerance. Form Asp Comput 4(5):442–469
Liu Z, Joseph M (1999) Specification and verification of fault-tolerance timing, and scheduling. ACM Trans Program Lang Syst 21(1):46–89
Miller SP, Tribble A (2001) Extending the four-variable model to bridge the system-software gap. In: Proc 20th digital avionics sys conf
Parnas DL, Madey J (1995) Functional documentation for computer systems. Sci Comput Program 25(1):41–61
Rothamel T, Heitmeyer C, Leonard E, Liu A (2006) Generating optimized code from SCR specifications. In: Proc ACM SIGPLAN/SIGBED conference on languages, compilers, and tools for embedded systems (LCTES), pp 135–144
Shankar N, Owre S, Rushby JM, Stringer-Calvert DWJ (2001) PVS Prover Guide, Version 2.4. Tech. rep., Computer Science Lab, SRI International, Menlo Park, CA
Szyperski C (2002) Component software: beyond object-oriented programming. Addison–Wesley Longman, Boston
Author information
Authors and Affiliations
Corresponding author
Additional information
This research is supported by the Office of Naval Research.
Rights and permissions
About this article
Cite this article
Jeffords, R.D., Heitmeyer, C.L., Archer, M.M. et al. Model-based construction and verification of critical systems using composition and partial refinement. Form Methods Syst Des 37, 265–294 (2010). https://doi.org/10.1007/s10703-010-0106-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-010-0106-9