Preface of the special issue on formal methods in industrial critical systems



The use of formal methods in industrial critical systems has a lot of potential to increase the quality and reliability of these systems. Three of the main challenges of the application of formal methods in industrial systems are scalability, their often inherent complexity and the integration into existing development processes. Due to this, their application is limited mainly to where usage is highly recommended by domain-specific standards, e.g., in light rail and avionics. The contributions in this special issue address some of these core problems of using formal methods in industry. The articles are based on papers selected from the 2015 Fmics workshop, an annual forum organized by the Ercim working group dedicated to formal methods for industrial critical systems.


Safety critical Formal methods Industrial systems 

1 Background

The application of formal methods in industrial critical systems faces several challenges. Approaches that work well on small- to medium-sized scale often do not scale. Many methods have an inherent complexity that requires extensive training and also implies high additional cost. In most industries, there are well-established development processes into which the use of formal methods must be integrated into in a sensible way.

This special issue contains extended versions of the best three papers presented at Fmics 2015, the 20th International Workshop on Formal Methods for Industrial Critical Systems. The workshop took place on June 22–23, 2015, in Oslo, Norway. The Fmics 2015 workshop was collocated with the 20th International Symposium on Formal Methods, Fm 2015.

The aim of the workshop series is to provide a forum for researchers interested in the development and application of formal methods in industry. In particular, Fmics brings together scientists and engineers who are active in the area of formal methods and interested in exchanging their experiences in the industrial usage of these methods. The Fmics workshop series also strives to promote research and development for the improvement of formal methods and tools for industrial applications.

From the 12 papers presented at the 2015 edition of the workshop, we invited the authors of the three best rated ones to submit an extended version to this special issue. Each of the submissions went through a rigorous review and revision process to ensure the highest quality of the contributions.

The application of formal methods in industrial contexts typically requires applicability to large problem sizes and also a concrete implementation of an approach. Amman and Ciobanu [1] address the problem of usability by introducing a prototyping language of real-time systems and properties. Aichernig et al. [2] provide means to integrate formal methods into a model-based testing approach, which tackles the problem of process integration. Finally, Damouche et al. [3] consider the problem of scalability of formal methods by showing how one part of programs, namely numerical algorithms using floating-point arithmetic, can be automatically enhanced.

We would like to thank all the authors contributing to this special issue. We would also like to thank the additional reviewers Luis Llana, Wendelin Serwe, Alvaro Arenas and Tiziana Margaria, for their hard work, and the Sttt editors-in-chief Bernhard Steffen and John Hatcliff, and Julia Rehder for their support in the creation of this special issue.

2 Selected papers

In the first paper of this collection [1], Amman and Ciobanu introduce the modeling language real-time TiMo (rTiMo) and the corresponding verification platform TiMo@PAT. This is a prototyping language for describing real-time systems and specific features thereof, like timeouts, explicit locations, timed migration and timed communication. The key idea is to define compositional equivalence relations for system behavior that makes the approach a scalable way to verify concurrent critical systems. Any system component with the desired behavior can be exchanged with an equivalent component without altering the system correctness, but potentially providing a better performance for the overall system.

The authors define a bisimulation relation for equivalence of systems where systems are considered to be equivalent if their multi-sets of parallel actions are the same for each state. The approach facilitates the verification of time-bounded equivalence, for example, if equivalence is only desired for a subset of states and locations. It also supports time-bounded reachability analysis where the state space can be reduced via equivalence reductions. The language is implemented in the Pat [4] platform. It supports checking for deadlock freeness, reachability and also extraction of optimized traces, for example, for minimization of run time.

The approach is illustrated using a safety-critical example from the railway domain. Two railway roads cross the same bridge, and a controller has to make sure that only one train enters the bridge.

In the second paper [2], Aichernig et al. introduce a method for model-based test case generation for safety-critical systems. It is based on the model of requirement interfaces which describe a set of different views on a system. This allows for an incremental test case generation and eases the state space explosion problem by limiting the analysis to a single requirement interface at a time. The tests can then be completed incrementally with constraints from other requirement interfaces.

The proposed approach results in a framework that provides a natural association between informal requirements, the formal specification and the generated tests. This provides model-based testing where the system under test is tested with respect to a formal model of the system specification, which allows to measure completeness of the test coverage. The authors describe model-based mutation testing as a fault-based test case generation technique that guarantees completeness of the generated test suite with respect to the fault model, under the assumption of a deterministic system.

The requirement contracts are expressed as labeled transition systems (LTS) with assume/guarantee contracts. The overall specification is represented by the conjunction of the single requirement interfaces. This allows for verification of consistency of a specification; an inconsistent one cannot have a correct implementation. For test case generation, test purposes are specified as target states of the LTS and their reachability is analyzed.

The consistency check is realized via the construction of the transition relation of the LTS, generated from the assume/guarantee contracts. The analysis is done via bounded model checking using the Z3Smt solver. Test case generation is done via reachability analysis of a test purpose in an LTS representing the specification. The approach also allows for the identification of the minimal set of inconsistent requirements via QuickXPlain [5].

The model-based mutation testing finally modifies the guarantees of contracts via a mutation function. Pre-defined mutation functions exist, e.g., bit flip, off-by-one, comparison operator change or logic operator changes. If the generated tests for the mutated model pass, then the fault from the model is not implemented in the system.

The overall approach is illustrated with two industrial examples. For a safing engine of an airbag chip, the approach revealed some under-specified requirements which lead to ambiguities in the specification. For an automated speed limiter, the mutation-based test generation provided a test suite that detected errors in a fault-injected software model of the system.

In the third paper [3], Damouche et al. describe an automated method to increase the accuracy of programs using Ieee 754 floating-point arithmetic. The approach provides means for intra-procedure transformations that reduce the calculation errors and increase their stability. The semantics of the program does not change in the sense that the transformed program is equivalent to the original one if exact arithmetic would be used.

The approach is based on abstract program expression graphs (APEG) [6] which can represent an exponential number of expression in polynomial space. Transformation rules are applied to this structure that preserve the mathematical exact semantics but improve the floating-point error. This calculation is done by using techniques from abstract interpretation for floating-point arithmetic. Abstract values are represented as pairs of intervals, a range of floating- point values and a range of errors.

The approach is implemented in a tool, which is applied to different case studies: a PID controller, a lead–lag system, Runge–Kutta methods of different orders and the trapezoidal integration rule. In all cases, the accuracy is improved and the transformed programs execute faster.


  1. 1.
    Aman, B., Ciobanu, G.: Verification of critical systems described in real-time TiMo. Int. J. Softw. Tools Technol. Transfer (2016). doi:10.1007/s10009-016-0439-9
  2. 2.
    Aichernig, B.K., Hörmaier, K., Lorber, F., Ničkovic, D., Tiran, S.: Require, test and trace IT. Int. J. Softw. Tools Technol. Transfer (2016). doi:10.1007/s10009-016-0444-z
  3. 3.
    Damouche, N., Martel, M., Chapoutot, A.: Improving the numerical accuracy of programs by automatic transformation. Int. J. Softw. Tools Technol. Transfer (2016). doi10.1007/s10009-016-0435-0
  4. 4.
    Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: towards flexible verification under fairness. In: Computer Aided Verification: \(21^{st}\) International Conference (CAV 2009). LNCS. Springer (2009)Google Scholar
  5. 5.
    Junker, U.: QUICKXPLAIN: Preferred explanations and relaxations for over-constrained problems. In: Proceedings of the 19th National Conference on Artificial Intelligence, pp 167–172. AAAI Press, California (2004)Google Scholar
  6. 6.
    Ioualalen, A., Martel, M.: A new abstract domain for the representation of mathematically equivalent expressions. In: Proceedings of the \(19^{th}\) International Conference on Static Analysis (SAS 2012). LNCS. Springer (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.DiffBlue ltd.OxfordUK
  2. 2.Departamento de Sistemas Informáticos y ComputaciónUniversidad Complutense de MadridMadridSpain

Personalised recommendations