Skip to main content
SpringerLink
Log in

Rigorous development process of a safety-critical system: from ASM models to Java code

  • ABZ 2014
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

The paper presents an approach for rigorous development of safety-critical systems based on the Abstract State Machine formal method. The development process starts from a high level formal view of the system and, through refinement, derives more detailed models till the desired level of specification. Along the process, different validation and verification activities are available, as simulation, model review, and model checking. Moreover, each refinement step can be proved correct using an SMT-based approach. As last step of the refinement process, a Java implementation can be developed and linked to the formal specification. The correctness of the implementation w.r.t. its formal specification can be proved by means of model-based testing and runtime verification. The process is exemplified by using a Landing Gear System as case study.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Notes

  1. http://asmeta.sourceforge.net/download/asmrefprover.html.

  2. http://asmeta.sourceforge.net/.

  3. Note that sequences generated by ATGT could be used to test programs written in any programming language.

  4. All the models are available online at http://fmse.di.unimi.it/sw/LGS_STTT.zip.

  5. In the case study [14], this behavior is described as follows: if the control software does not see the value \(door\_closed[x] = false\) for all \(x \in \{front, left, right\}\) 7 seconds after stimulation of the opening electro-valve, then the doors are considered as blocked and an anomaly is detected.

  6. Pure methods are side effect free methods with respect to the object/program state. They return a value but do not assign values to fields.

  7. We do not consider the default constructor. If the class does not have any constructor, the user has to specify an empty constructor and annotate it with @StartMonitoring.

  8. The user can identify several changing methods, but, in this case, each changing method must be linked with a different monitored value by the two annotation attributes setFunction, specifying the name of a 0-ary monitored function of the ASM model, and toValue, specifying a value of the function codomain: setFunction must identify the same function in all the annotations, while toValue must assume different values.

References

  1. Abrial, J.-R.: Modeling in Event-B: System and Software Engineering, 1st edn. Cambridge University Press, New York, NY, USA (2010)

    Book  MATH  Google Scholar 

  2. Arcaini, P., Gargantini, A., Riccobene, E.: AsmetaSMV: a way to link high-level ASM models to low-level NuSMV specifications. In: Proceedings of the 2nd International Conference on Abstract State Machines, Alloy, B and Z (ABZ 2010), volume 5977 of Lecture Notes in Computer Science, pages 61–74. Springer (2010)

  3. Arcaini, P., Gargantini, A., Riccobene, E.: Automatic Review of Abstract State Machines by Meta-Property Verification. In: Muñoz, C. (ed.) Proceedings of the Second NASA Formal Methods Symposium (NFM 2010), NASA/CP-2010-216215, pp. 4–13. NASA (2010)

  4. Arcaini, P., Gargantini, A., Riccobene, E.: CoMA: Conformance monitoring of Java programs by Abstract State Machines. In: Khurshid, S., Sen, K. (eds.) Runtime Verification volume 7186 of Lecture Notes in Computer Science, pp. 223–238. Springer (2012)

  5. Arcaini, P., Gargantini, A., Riccobene, E.: Combining model-based testing and runtime monitoring for program testing in the presence of nondeterminism. In: 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation, Workshops Proceedings, Luxembourg, March 18-22, 2013, pp. 178–187. IEEE (2013)

  6. Arcaini, P., Gargantini, A., Riccobene, E.: Modeling and Analyzing Using ASMs: The Landing Gear System Case Study. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.D. (eds.) ABZ 2014: The Landing Gear Case Study volume 433 of Communications in Computer and Information Science, pp. 36–51. Springer International Publishing (2014)

  7. Arcaini, P., Gargantini, A., Riccobene, E.: Offline Model-Based Testing and Runtime Monitoring of the Sensor Voting Module. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.D. (eds.) ABZ 2014: The Landing Gear Case Study volume 433 of Communications in Computer and Information Science, pp. 95–109. Springer International Publishing (2014)

  8. Arcaini, P., Gargantini, A., Riccobene, E.: Using SMT for dealing with nondeterminism in ASM-based runtime verification. ECEASST 70 (2014)

  9. Arcaini, P., Gargantini, A., Riccobene, E., Scandurra, P.: A model-driven process for engineering a toolset for a formal method. Softw.: Pract. Exp. 41, 155–166 (2011)

    Google Scholar 

  10. Banach, R.: The Landing Gear Case Study in Hybrid Event-B. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.D. (eds.) ABZ 2014: The Landing Gear Case Study volume 433 of Communications in Computer and Information Science, pp. 126–141. Springer International Publishing (2014)

  11. Barnett, M., Schulte, W.: Runtime verification of NET contracts. J. Syst. Softw. 65(3), 199–208 (2003)

    Article  Google Scholar 

  12. Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Method. (TOSEM) 20 (2011)

  13. Berthomieu, B., Dal Zilio, S., Fronc, Ł.: Model-Checking Real-Time Properties of an Aircraft Landing Gear System Using Fiacre. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.D. (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 110–125. Springer International Publishing (2014)

  14. Boniol, F., Wiels, V.: The Landing Gear System Case Study. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.D. (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 1–18. Springer International Publishing (2014)

  15. Boniol, F., Wiels, V., Ameur, Y.A., Schewe, K.-D.: ABZ 2014: The Landing Gear Case Study Case Study Track, Held at the 4th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z Toulouse, France, June 2-6, 2014, Proceedings. Springer International Publishing (2014)

  16. Börger, E.: The ASM refinement method. Form. Aspects Comput. 15, 237–257 (2003)

    Article  MATH  Google Scholar 

  17. Börger, E.: The ASM method for system design and analysis. A tutorial introduction. In: Gramlich, B. (ed.) Proceedings of Frontiers of Combining Systems, 5th International Workshop, FroCoS 2005, Vienna, Austria, September 19-21, 2005, volume 3717 of Lecture Notes in Computer Science, pp. 264–283. Springer (2005)

  18. Börger, E.: Abstract State Machines: A Method for High-Level System Design and Analysis. Springer, Berlin Heidelberg (2003)

    Book  MATH  Google Scholar 

  19. Carioni, A., Gargantini, A., Riccobene, E., Scandurra, P.: A Scenario-Based Validation Language for ASMs. In: Proceedings of the 1st International Conference on Abstract State Machines, B and Z (ABZ 2008), volume 5238 of Lecture Notes in Computer Science, pp. 71–84. Springer-Verlag (2008)

  20. Chen, F., D’Amorim, M., Roşu, G.: A formal monitoring-based framework for software development and analysis. In: Davies, J., Schulte, W., Barnett, M. (eds.) Formal Methods and Software Engineering, volume of 3308 LNCS, pp. 357–372. Springer, Berlin / Heidelberg (2004)

  21. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge, MA, USA (1999)

    Google Scholar 

  22. Dausend, M., Raschke, A.: Introducing Aspect-Oriented Specification for Abstract State Machines. In: Ait Ameur, Y., Schewe, K.-D. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, volume 8477 of Lecture Notes in Computer Science, pp. 174–187. Springer Berlin Heidelberg (2014)

  23. Dausend, M., Stegmaier, M., Raschke, A.: Debugging Abstract State Machine Specifications: An Extension of CoreASM. In: Mazzanti, F., Trentanni, G. (eds.) Proceedings of iFM 2012 & ABZ 2012 - Posters & Tool demos Session, pp. 21–25 (2012)

  24. Delgado, N., Gates, A.Q., Roach, S.: A taxonomy and catalog of runtime software-fault monitoring tools. IEEE Trans. Softw. Eng. 30(12), 859–872 (2004)

    Article  Google Scholar 

  25. Dhaussy, P., Teodorov, C.: Context-Aware Verification of a Landing Gear System. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 52–65. Springer International Publishing (2014)

  26. Falcone, Y., Havelund, K., Reger, G.: A Tutorial on Runtime Verification. In: Engineering Dependable Software Systems, volume 34 of NATO Science for Peace and Security Series—D: Information and Communication Security, pp. 141–175. IOS Press (2013)

  27. Farahbod, R., Glässer, U.: The CoreASM modeling framework. Softw., Pract. Exp. 41(2), 167–178 (2011)

    Article  Google Scholar 

  28. Gargantini, A., Riccobene, E.: ASM-based testing: coverage criteria and automatic test sequence generation. J. Univ. Comput. Sci. 7, 262–265 (2001)

    Google Scholar 

  29. Gargantini, A., Riccobene, E., Rinzivillo, S.: Using Spin to Generate Tests from ASM Specifications. In: Börger, E., Gargantini, A., Riccobene, E. (eds.) Abstract State Machines 2003, volume of 2589 Lecture Notes in Computer Science, pp. 263–277. Springer, Berlin Heidelberg (2003)

  30. Gargantini, A., Riccobene, E., Scandurra, P.: A metamodel-based language and a simulation engine for abstract state machines. J. Univ. Comput. Sci. 14(12), 1949–1983 (2008)

    Google Scholar 

  31. Glässer, U., Hallerstede, S., Leuschel, M., Riccobene, E.: Integration of tools for rigorous software construction and analysis (Dagstuhl Seminar 13372). Dagstuhl Rep. 3(9), 74–105 (2013)

    Google Scholar 

  32. Hansen, D., Ladenberger, L., Wiegard, H., Bendisposto, J., Leuschel, M.: Validation of the ABZ Landing Gear System Using ProB. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014: The Landing Gear Case Study volume 433 of Communications in Computer and Information Science, pp. 66–79.Springer International Publishing (2014)

  33. Hierons, R., Derrick, J.: Editorial: special issue on specification-based testing. Softw. Test. Verif. Reliab. 10(4), 201–202 (2000)

    Article  Google Scholar 

  34. Kossak, F.: Landing Gear System: An ASM-Based Solution for the ABZ Case Study. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 142–147. Springer International Publishing (2014)

  35. Laddad, R.: AspectJ in Action: Practical Aspect-Oriented Programming. Manning Publications Co., Greenwich, CT, USA (2003)

    Google Scholar 

  36. Liang, H., Dong, J., Sun, J., Wong, W.: Software monitoring through formal specification animation. Innov. Syst. Soft. Eng. 5, 231–241 (2009)

    Article  Google Scholar 

  37. Mammar, A., Laleau, R.: Modeling a Landing Gear System in Event-B. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 80–94. Springer International Publishing (2014)

  38. Méry, D., Singh, N. K.: Modeling an Aircraft Landing System in Event-B. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D., (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 154–159. Springer International Publishing (2014)

  39. Schellhorn, G.: Verification of ASM refinements using generalized forward simulation. J. Univ. Comput. Sci. 7(11), 952–979 (2001)

    MathSciNet  Google Scholar 

  40. Slissenko, A., Vasilyev, P.: Simulation of timed abstract state machines with predicate logic model-checking. J. Univ. Comput. Sci. 14(12), 1984–2006 (2008)

    MATH  Google Scholar 

  41. Stärk, R.F., Schmid, J., Börger, E.: Java and the Java Virtual Machine: Definition, Verification, Validation. Springer (2001)

  42. Su, W., Abrial, J.-R.: Aircraft Landing Gear System: Approaches with Event-B to the Modeling of an Industrial System. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 19–35. Springer International Publishing (2014)

  43. Utting, M., Legeard, B.: Practical Model-Based Testing: A Tools Approach. Morgan-Kaufmann, San Francisco, CA (2006)

    Google Scholar 

  44. Woodcock, J., Larsen, P.G., Bicarregui, J., Fitzgerald, J.: Formal methods: practice and experience. ACM Comput. Surv. 41(4), 19:1–19:36 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Charles University in Prague, Faculty of Mathematics and Physics, Prague, Czech Republic

    Paolo Arcaini

  2. Department of Management, Information and Production Engineering, University of Bergamo, Bergamo, Italy

    Angelo Gargantini

  3. Department of Computer Science, Università degli Studi di Milano, Milan, Italy

    Elvinia Riccobene

Authors
  1. Paolo Arcaini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angelo Gargantini
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elvinia Riccobene
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Paolo Arcaini.

Additional information

The work was partially supported by Charles University research funds PRVOUK.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Arcaini, P., Gargantini, A. & Riccobene, E. Rigorous development process of a safety-critical system: from ASM models to Java code. Int J Softw Tools Technol Transfer 19, 247–269 (2017). https://doi.org/10.1007/s10009-015-0394-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-015-0394-x

Keywords

Search

Navigation