Towards model checking executable UML specifications in mCRL2

  • Helle Hvid Hansen
  • Jeroen Ketema
  • Bas Luttik
  • MohammadReza Mousavi
  • Jaco van de Pol
Open Access
Original Paper


We describe a translation of a subset of executable UML (xUML) into the process algebraic specification language mCRL2. This subset includes class diagrams with class generalisations, and state machines with signal and change events. The choice of these xUML constructs is dictated by their use in the modelling of railway interlocking systems. The long-term goal is to verify safety properties of interlockings modelled in xUML using the mCRL2 and LTSmin toolsets. Initial verification of an interlocking toy example demonstrates that the safety properties of model instances depend crucially on the run-to-completion assumptions.


Software verification and validation Specification languages Model checking Executable UML Process algebra 



This research is partially funded by the European Comission (EC), as a grant to the FP7 project INESS, grant agreement no. 218575. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of either the EC or the INESS consortium.

Open Access

This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.


  1. 1.
    Alur R, Yannakakis M (2001) Model checking of hierarchical state machines. ACM Trans Program Lang Syst 23(3): 273–303CrossRefGoogle Scholar
  2. 2.
    Baier C, Katoen J-P (2008) Principles of model checking. The MIT Press, New YorkMATHGoogle Scholar
  3. 3.
    Bergstra JA, Klop JW (1984) Process algebra for synchronous communicati. Inf Control 60(1–3): 109–137MATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Blom S, van de Pol J (2008) Symbolic reachability for process algebras with recursive data types. In: Proceedings on theoretical aspects of computing (ICTAC 2008). Lecture Notes in Computer Science, vol 5160. Springer, Berlin, pp 81–95Google Scholar
  5. 5.
    Blom SCC, van de Pol JC, Weber M (2009) Bridging the gap between enumerative and symbolic model checkers. Technical Report TR-CTIT-09-30, CTIT, University of Twente, EnschedeGoogle Scholar
  6. 6.
    Cimatti A, Giunchiglia F, Mongardi G, Romano D, Torielli F, Traverso P (1998) Formal verification of a railway interlocking system using model checking. Formal Aspects Comput 10(4): 361–380MATHCrossRefGoogle Scholar
  7. 7.
    Damm W, Josko B, Pnueli A, Votintseva A (2005) A discrete-time UML semantics for concurrency and communication in safety-critical applications. Sci Comput Program 55: 81–155MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Eriksson L-H (1996) Specifying railway interlocking requirements for practical use. In: Proceedings of the 15th international conference on computer safety, reliability and security (SAFECOMP’96). Springer, BerlinGoogle Scholar
  9. 9.
    Xie F, Levin V, Browne J (2001) Model checking for an executable subset of UML. In: 16th IEEE international conference on automated software engineering (ASE 2001), pp 333–336Google Scholar
  10. 10.
    Fokkink W (1996) Safety criteria for the vital processor interlocking at Hoorn-Kersenboogerd. In: 5th conference on computers in railways (COMPRAIL’96). Volume I: railway systems and managementGoogle Scholar
  11. 11.
    Gnesi S, Latella D, Lenzini G, Abbaneo C, Amendola AM, Marmo P (2000) An automatic SPIN validation of a safety critical railway control system. In: Proceedings of the 2000 international conference on dependable systems and networks. IEEE Computer Society, Washington, DC, pp 119–124Google Scholar
  12. 12.
    Groote JF, Mathijssen A, Reniers MA, Usenko YS, van Weerdenburg M (2007) The formal specification language mCRL2. In: Proceedings of methods for modelling software systems, Dagstuhl seminar proceedings, vol 06351Google Scholar
  13. 13.
    Hu Z, Shatz SM (2006) Explicit modeling of semantics associated with composite states in UML statecharts. J Autom Softw Eng 13(4): 423–467CrossRefGoogle Scholar
  14. 14.
    KnowGravity (2008) Cassandra/xUML user’s guide.
  15. 15.
    Mellor SJ, Balcer M (2002) Executable UML: a foundation for model-driven architecture. Addison Wesley, ReadingGoogle Scholar
  16. 16.
    Object Management Group (2008) Semantics of a foundational subset for executable UML models. Accessed Nov 2008
  17. 17.
    Object Management Group (2009) OMG unified modeling language superstructure version 2.2. Accessed Feb 2009
  18. 18.
    Purandar B, Ramesh S (2004) Model checking of statechart models: survey and research directions. Accessed July 2004
  19. 19.
    Turner E, Treharne H, Schneider S, Evans N (2008) Automatic generation of CSP || B skeletons from xUML models. In: Proc. of Theoretical Aspects of Computing (ICTAC 2008), pp. 364–379Google Scholar
  20. 20.
    von der Beeck M (2001) Formalization of UML-statecharts. In: Proceedings UML 2001. Lecture Notes in Computer Science, vol 2185. Springer, Berlin, pp 406–421Google Scholar
  21. 21.
    Winter K, Robinson NJ (2003) Modelling large railway interlockings and model checking small ones. In: ACSC ’03: Proceedings of the 26th Australasian computer science conference, pp 309–316. Australian Computer Society, Inc.Google Scholar
  22. 22.
    Yeung WL, Leung KRPH, Wang J, Dong W (2005) Improvements towards formalizing UML state diagrams in CSP. In: Proceedings of the 12th Asia-Pacific software engineering conference (APSEC 2005). IEEE Computer SocietyGoogle Scholar

Copyright information

© The Author(s) 2010

Authors and Affiliations

  • Helle Hvid Hansen
    • 1
  • Jeroen Ketema
    • 2
  • Bas Luttik
    • 1
  • MohammadReza Mousavi
    • 1
  • Jaco van de Pol
    • 2
  1. 1.Eindhoven University of TechnologyEindhovenThe Netherlands
  2. 2.University of TwenteEnschedeThe Netherlands

Personalised recommendations