Software & Systems Modeling

, Volume 16, Issue 2, pp 587–624 | Cite as

Contract-based modeling and verification of timed safety requirements within SysML

Regular Paper
  • 424 Downloads

Abstract

In order to cope with the growing complexity of critical real-time embedded systems, systems engineering has adopted a component-based design technique driven by requirements. Yet, such an approach raises several issues since it does not explicitly prescribe how system requirements can be decomposed on components nor how components contribute to the satisfaction of requirements. The envisioned solution is to design, with respect to each requirement and for each involved component, an abstract specification, tractable at each design step, that models how the component is concerned by the satisfaction of the requirement and that can be further refined toward a correct implementation. In this paper, we consider such specifications in the form of contracts. A contract for a component consists in a pair (assumption, guarantee) where the assumption models an abstract behavior of the component’s environment and the guarantee models an abstract behavior of the component given that the environment behaves according to the assumption. Therefore, contracts are a valuable asset for the correct design of systems, but also for mapping and tracing requirements to components, for tracing the evolution of requirements during design and, most importantly, for compositional verification of requirements. The aim of this paper is to introduce contract-based reasoning for the design of critical real-time systems made of reactive components modeled with UML and/or SysML. We propose an extension of UML and SysML languages with a syntax and semantics for contracts and the refinement relations that they must satisfy. The semantics of components and contracts is formalized by a variant of timed input/output automata on top of which we build a formal contract-based theory. We prove that the contract-based theory is sound and can be applied for a relatively large class of SysML system models. Finally, we show on a case study extracted from the automated transfer vehicle (http://www.esa.int/ATV) that our contract-based theory allows to verify requirement satisfaction for previously intractable models.

Keywords

Contract-based reasoning Safety requirement Component-based design UML/SysML Compositional verification Timed input/output automata 

References

  1. 1.
    Abadi, M., Plotkin, G.D.: A logical view of composition. Theor. Comput. Sci. 114(1), 3–30 (1993)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Aboussoror, E., Ober, I., Ober, I.: Seeing errors: model driven simulation trace visualization. In: France, R., Kazmeier, J., Breu, R., Atkinson, C. (eds.) Model Driven Engineering Languages and Systems. Lecture Notes in Computer Science, vol. 7590, pp. 480–496. Springer, Berlin (2012)Google Scholar
  3. 3.
    Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    André, P., Gilles, A., Messabihi, M.: Vérification de contrats logiciels à l’aide de transformations de modèles. In: 7èmes journées sur l’Ingénierie Dirigée par les Modèles (IDM) (2011)Google Scholar
  5. 5.
    Arnold, A., Boyer, B., Legay, A.: Contracts and behavioral patterns for SoS: the EU IP DANSE approach. In: Larsen, K.G., Legay, A., Nyman, U. (eds.) AiSoS, EPTCS, vol. 133, pp. 47–66 (2013)Google Scholar
  6. 6.
    Basu, A., Bozga, M., Sifakis, J.: Modeling heterogeneous real-time components in BIP. In: SEFM’06, pp. 3–12 (2006)Google Scholar
  7. 7.
    Bauer, S.S., David, A., Hennicker, R., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Moving from specifications to contracts in component-based design. In: de Lara, J., Zisman, A. (eds.) FASE, Lecture Notes in Computer Science, vol. 7212, pp. 43–58. Springer (2012)Google Scholar
  8. 8.
    Bauer, S.S., Hennicker, R., Legay, A.: Component interfaces with contracts on ports. In: Pasareanu, C.S., Salaün, G. (eds.) Formal Aspects of Component Software, Lecture Notes in Computer Science, vol. 7683, pp. 19–35. Springer, Berlin (2013)Google Scholar
  9. 9.
    Benvenuti, L., Ferrari, A., Mangeruca, L., Mazzi, E., Passerone, R., Sofronis, C.: A contract-based formalism for the specification of heterogeneous systems. In: FDL’08. Forum on, pp. 142–147. IEEE (2008)Google Scholar
  10. 10.
    Beugnard, A., Jézéquel, J.M., Plouzeau, N., Watkins, D.: Making components contract aware. Computer 32(7), 38–45 (1999)CrossRefGoogle Scholar
  11. 11.
    Bobaru, M.G., Pasareanu, C.S., Giannakopoulou, D.: Automated assume-guarantee reasoning by abstraction refinement. In: Gupta, A., Malik, S. (eds.) CAV, Lecture Notes in Computer Science, vol. 5123, pp. 135–148. Springer (2008)Google Scholar
  12. 12.
    Bornot, S., Sifakis, J.: An algebraic framework for urgency. Inf. Comput. 163(1), 172–202 (2000)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Bourke, T., David, A., Larsen, K.G., Legay, A., Lime, D., Nyman, U., Wasowski, A.: New results on timed specifications. In: Mossakowski, T., Kreowski, H.J. (eds.) WADT, Lecture Notes in Computer Science, vol. 7137, pp. 175–192. Springer (2010)Google Scholar
  14. 14.
    Bozga, M., Graf, S., Ober, I., Ober, I., Sifakis, J.: The IF toolset. In: Bernardo, M., Corradini, F. (eds.) Formal Methods for the Design of Real-Time Systems. Lecture Notes in Computer Science, vol. 3185, pp. 237–267. Springer, Berlin (2004)Google Scholar
  15. 15.
    Chen, T., Chilton, C., Jonsson, B., Kwiatkowska, M.Z.: A Compositional specification theory for component behaviours. In: Seidl, H. (ed.) ESOP, Lecture Notes in Computer Science, vol. 7211, pp. 148–168. Springer (2012)Google Scholar
  16. 16.
    Cheung, S.C., Kramer, J.: Checking safety properties using compositional reachability analysis. ACM Trans. Softw. Eng. Methodol. 8(1), 49–78 (1999)CrossRefGoogle Scholar
  17. 17.
    Chilton, C., Jonsson, B., Kwiatkowska, M.Z.: Assume-guarantee reasoning for safe component behaviours. In: Pasareanu, C.S., Salaün, G. (eds.) Formal Aspects of Component Software, Lecture Notes in Computer Science, vol. 7683, pp. 92–109. Springer, Berlin (2013)Google Scholar
  18. 18.
    Chilton, C., Kwiatkowska, M.Z., Wang, X.: Revisiting Timed specification theories: a linear-time perspective. In: Jurdzinski, M., Nickovic, D. (eds.) FORMATS, Lecture Notes in Computer Science, vol. 7595, pp. 75–90. Springer (2012)Google Scholar
  19. 19.
    Cimatti, A., Dorigatti, M., Tonetta, S.: OCRA: a tool for checking the refinement of temporal contracts. In: Denney, E., Bultan, T., Zeller, A. (eds.) 2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013, Silicon Valley, CA, USA, November 11–15, 2013, pp. 702–705. IEEE (2013)Google Scholar
  20. 20.
    Cimatti, A., Tonetta, S.: A property-based proof system for contract-based design. In: Cortellessa, V., Muccini, H., Demirörs, O. (eds.) 38th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2012, Cesme, Izmir, Turkey, September 5–8, 2012, pp. 21–28. IEEE Computer Society (2012)Google Scholar
  21. 21.
    Cimatti, A., Tonetta, S.: Contracts-refinement proof system for component-based embedded systems. Sci. Comput. Progr. 97, 333–348 (2015)CrossRefGoogle Scholar
  22. 22.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E., Sistla, A. (eds.) Computer Aided Verification. Lecture Notes in Computer Science, vol. 1855, pp. 154–169. Springer, Berlin (2000)Google Scholar
  23. 23.
    Clarke, E.M., Long, D.E., McMillan, K.L.: Compositional model checking. In: LICS, pp. 353–362. IEEE Computer Society (1989)Google Scholar
  24. 24.
    Combemale, B., Gonnord, L., Rusu, V.: A generic tool for tracing executions back to a DSML’s operational semantics. In: France, R.B., Küster, J.M., Bordbar, B., Paige R.F. (eds.) ECMFA, Lecture Notes in Computer Science, vol. 6698, pp. 35–51. Springer (2011)Google Scholar
  25. 25.
    Conquet, E., Dormoy, F.X., Dragomir, I., Graf, S., Lesens, D., Nienaltowski, P., Ober, I.: Formal model driven engineering for space onboard software. In: Proceedings of Embedded Real Time Software and Systems (ERTS2), Toulouse. SAE (2012)Google Scholar
  26. 26.
    Damm, W., Hungar, H., Josko, B., Peikenkamp, T., Stierand, I.: Using contract-based component specifications for virtual integration testing and architecture design. In: Design, Automation Test in Europe Conference Exhibition (DATE), 2011, pp. 1–6 (2011). doi: 10.1109/DATE.2011.5763167
  27. 27.
    David, A., Larsen, K.G., Legay, A., Møller, M.H., Nyman, U., Ravn, A.P., Skou, A., Wasowski, A.: Compositional verification of real-time systems using ECDAR. STTT 14(6), 703–720 (2012)CrossRefGoogle Scholar
  28. 28.
    David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Methodologies for specification of real-time systems using timed I/O automata. In: de Boer, F.S., Bonsangue, M.M., Hallerstede, S., Leuschel, M. (eds.) FMCO, Lecture Notes in Computer Science, vol. 6286, pp. 290–310. Springer (2009)Google Scholar
  29. 29.
    David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: ECDAR: an environment for compositional Design and analysis of real time systems. In: Proceedings of the 8th International Conference on Automated Technology for Verification and Analysis. ATVA’10, pp. 365–370. Springer, Berlin (2010)Google Scholar
  30. 30.
    David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Timed I/O automata: a complete specification theory for real-time systems. In: Johansson, K.H., Yi, W. (eds.) HSCC, pp. 91–100. ACM (2010)Google Scholar
  31. 31.
    de Alfaro, L., Henzinger, T.: Interface automata. In: Proceedings of the Ninth Annual Symposium on Foundations of Software Engineering (FSE), ACM, pp. 109–120. Press (2001)Google Scholar
  32. 32.
    de Alfaro, L., Henzinger, T.: Interface theories for component-based design. In: Henzinger, T., Kirsch, C. (eds.) Embedded Software. Lecture Notes in Computer Science, vol. 2211, pp. 148–165. Springer, Berlin (2001)Google Scholar
  33. 33.
    de Alfaro, L., Henzinger, T., Stoelinga, M.: Timed interfaces. In: Sangiovanni-Vincentelli, A., Sifakis, J. (eds.) Embedded Software. Lecture Notes in Computer Science, vol. 2491, pp. 108–122. Springer, Berlin (2002)Google Scholar
  34. 34.
    Dragomir, I., Ober, I., Lesens, D.: A case study in formal system engineering with SysML. In: Engineering of Complex Computer Systems (ICECCS), 2012 17th International Conference on, pp. 189–198 (2012)Google Scholar
  35. 35.
    Dragomir, I., Ober, I., Percebois, C.: Integrating Verifiable Assume/Guarantee Contracts in UML/SysML. Tech. Rep., IRIT (2013). http://www.irit.fr/Iulian.Ober/docs/TR-Syntax.pdf
  36. 36.
    Dragomir, I., Ober, I., Percebois, C.: Safety Contracts for Timed Reactive Components in SysML. Tech. Rep., IRIT (2013). http://www.irit.fr/Iulian.Ober/docs/TR-Contracts.pdf
  37. 37.
    Gacek, A., Katis, A., Whalen, M.W., Cofer, D.: Hierarchical Circular Compositional Reasoning. Tech. Rep. 2014-1, University of Minnesota Software Engineering Center, 200 Union St., Minneapolis, MN 55455 (2014)Google Scholar
  38. 38.
    Giannakopoulou, D., Pasareanu, C.S., Barringer, H.: Assumption generation for software component verification. In: Automated Software Engineering, 2002. Proceedings. ASE 2002. 17th IEEE International Conference on, pp. 3–12 (2002)Google Scholar
  39. 39.
    Graf, S., Quinton, S.: Contracts for BIP: hierarchical interaction models for compositional verification. In: Derrick, J., Vain, J. (eds.) FORTE, Lecture Notes in Computer Science, vol. 4574, pp. 1–18. Springer (2007)Google Scholar
  40. 40.
    Grumberg, O., Long, D.E.: Model checking and modular verification. In: CONCUR, LNCS, vol. 527, pp. 250–265. Springer (1991)Google Scholar
  41. 41.
    Hafaiedh, I.B., Graf, S., Quinton, S.: Reasoning about safety and progress using contracts. In: Dong, J.S., Zhu H. (eds.) ICFEM, Lecture Notes in Computer Science, vol. 6447, pp. 436–451. Springer (2010)Google Scholar
  42. 42.
    Kaynar, D.K., Lynch, N., Segala, R., Vaandrager, F.: The Theory of Timed I/O Automata, 2nd edn. Morgan and Claypool Publishers, San Rafael (2010)MATHGoogle Scholar
  43. 43.
    Knapp, A., Merz, S., Rauh, C.: Model checking timed UML state machines and collaborations. In: Damm, W., Olderog, E.R. (eds.) Formal Techniques in Real-Time and Fault-Tolerant Systems. Lecture Notes in Computer Science, vol. 2469, pp. 395–414. Springer, Berlin (2002)Google Scholar
  44. 44.
    Larsen, K., Nyman, U., Wasowski, A.: Interface input/output automata. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006: Formal Methods. Lecture Notes in Computer Science, vol. 4085, pp. 82–97. Springer, Berlin (2006)Google Scholar
  45. 45.
    Messabihi, M., André, P., Attiogbé, C.: Multilevel contracts for trusted components. In: International Workshop on Component and Service Interoperability, EPTCS, vol. 37, pp. 71–85 (2010)Google Scholar
  46. 46.
    Mikk, E., Lakhnechi, Y., Siegel, M.: Hierarchical automata as model for statecharts. In: Shyamasundar, R., Ueda, K. (eds.) Advances in Computing Science—ASIAN’97. Lecture Notes in Computer Science, vol. 1345, pp. 181–196. Springer, Berlin (1997)Google Scholar
  47. 47.
    Murugesan, A., Whalen, M.W., Rayadurgam, S., Heimdahl, M.P.: Compositional verification of a medical device system. Ada Lett. 33(3), 51–64 (2013)CrossRefGoogle Scholar
  48. 48.
    Ober, I., Dragomir, I.: OMEGA2: a new version of the profile and the tools. In: Engineering of Complex Computer Systems (ICECCS), 2010 15th IEEE International Conference on, pp. 373–378. IEEE (2010)Google Scholar
  49. 49.
    Ober, I., Dragomir, I.: Unambiguous UML composite structures: the OMEGA2 experience. In: Cerná, I., Gyimóthy, T., Hromkovic, J., Jeffery, K.G., Královic, R., Vukolic, M., Wolf, S. (eds.) SOFSEM, Lecture Notes in Computer Science, vol. 6543, pp. 418–430. Springer (2011)Google Scholar
  50. 50.
    Ober, I., Graf, S., Ober, I.: Validating timed UML models by simulation and verification. STTT 8(2), 128–145 (2006)CrossRefGoogle Scholar
  51. 51.
    Ober, I., Ober, I., Dragomir, I., Aboussoror, E.: UML/SysML semantic tunings. Innov. Syst. Softw. Eng. 7(4), 257–264 (2011)CrossRefGoogle Scholar
  52. 52.
    Object Management Group: Systems Modelling Language (SysML) v1.1 (2008). http://www.omg.org/spec/SysML/1.1/
  53. 53.
    Object Management Group: Unified Modelling Language (UML) v2.2 (2009). http://www.omg.org/UML/2.2/
  54. 54.
    Object Management Group: Object Constraint Language (OCL) v2.2 (2010). http://www.omg.org/spec/OCL/2.2/
  55. 55.
    Object Management Group: UML Profile for MARTE: Modeling and Analysis of Real-Time Embedded Systems v1.1 (2011). http://www.omg.org/spec/MARTE/
  56. 56.
    Object Management Group: Semantics of a Foundational Subset For Executable UML Models (fUML) v1.1 (2013). http://www.omg.org/spec/FUML/1.1/
  57. 57.
    Ouaknine, J., Worrell, J.: On the language inclusion problem for timed automata: closing a decidability gap. In: Logic in Computer Science, 2004. Proceedings of the 19th Annual IEEE Symposium on, pp. 54–63 (2004). doi: 10.1109/LICS.2004.1319600
  58. 58.
    Parnas, D., Weiss, D.: Active design reviews: principles and practices. In: ICSE’85. IEEE Computer Society (1985)Google Scholar
  59. 59.
    Payne, R., Fitzgerald, J.: Contract-Based Interface Specification Language for Functional and Non-Functional Properties. Tech. Rep., Newcastle University (2011). http://www.ncl.ac.uk/computing/research/publication/176971
  60. 60.
    Peled, D.: Software Reliability Methods. Texts in Computer Science. Springer, Berlin (2001)CrossRefGoogle Scholar
  61. 61.
    Quinton, S.: Design, vérification et implémentation de systèmes à composants. Ph.D. thesis, Université de Grenoble (2011)Google Scholar
  62. 62.
    Quinton, S., Graf, S.: Contract-based verification of hierarchical systems of components. In: SEFM’08, pp. 377–381 (2008)Google Scholar
  63. 63.
    SAE: Architecture Analysis and Design Language (AADL). Document No. AS5506/1 (2004). http://www.sae.org/technical/standards/AS5506/1
  64. 64.
    SPEEDS: D 2.5.4: Contract Specification Language (2008). http://speeds.eu.com/downloads/D_2_5_4_RE_Contract_Specification_Language.pdf
  65. 65.
    Wang, F.: Symbolic simulation-checking of dense-time automata. In: Raskin, J.F., Thiagarajan, P. (eds.) Formal Modeling and Analysis of Timed Systems. Lecture Notes in Computer Science, vol. 4763, pp. 352–368. Springer, Berlin (2007)Google Scholar
  66. 66.
    Wang, T., Sun, J., Liu, Y., Wang, X., Li, S.: Are timed automata bad for a specification language? Language inclusion checking for timed automata. In: Ábrahám, E., Havelund, K. (eds.) Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 8413, pp. 310–325. Springer, Berlin (2014)Google Scholar
  67. 67.
    Weis, T., Becker, C., Geihs, K., Plouzeau, N.: A UML meta-model for contract aware components. In: 4th International Conference on The Unified Modeling Language, Modeling Languages, Concepts, and Tools (UML) 2001, pp. 442–456. Springer (2001)Google Scholar
  68. 68.
    Whalen, M.W., Gacek, A., Cofer, D., Murugesan, A., Heimdahl, M.P., Rayadurgam, S.: Your “what” is my “how”: iteration and hierarchy in system design. IEEE Softw. 30(2), 54–60 (2013)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Iulia Dragomir
    • 1
  • Iulian Ober
    • 2
  • Christian Percebois
    • 2
  1. 1.Department of Computer ScienceAalto UniversityEspooFinland
  2. 2.IRIT - University of ToulouseToulouseFrance

Personalised recommendations