A Formal Framework for UML Modeling with Timed Constraints: - PowerPoint PPT Presentation

FRENCH NATIONAL INSTITUTE FOR TRANSPORT SAFETY AND RESEARCH A Formal Framework for UML Modeling with Timed Constraints: Application to Railway Control Systems Rafael Marcano Samuel Colin Georges Mariano Specification and Validation of UML models for Real Time and Embedded Systems – SVERTS’2004

Context UML & Railway Applications ... UML/OCL as formal notation � Standard notation for systems modeling � But lack of formal semantic Our context : railway control systems Is actually UML/OCL formal enough to specify reliable software ? 2

Context problem ... ... UML/OCL still informally defined ... insecure basis for software development How to specify precisely ? How to prove rigorously ? ... Using the B Formal Method � Formal methods are used to : � specify precisely the components of a system � prove rigorously the desired structural/behavioral properties (analysis and verification) 3

Plan ... 1. Objective 2. The proposed process 3. From requirements to UML 4. From UML models to B specifications � mapping UML diagrams into B formal specifications � translating time features into extended B 5. Analysis and verification 6. Conclusion and discussion 4

I. Objective ... Problem How to enable analysis and verification on UML/OCL models with time properties ? Solution � By combining the complementary strengths of UML/OCL and the B formal method � By extending B with a real time semantic � By providing automated proof tools for the B specification language 5

UML/OCL + B why B ? ... Advantages of the B formal method � precise and rigorous description of a system � detection of inconsistencies and mistakes on the UML model � proof of structural and behavioral properties � ensuring consistency between diagrams using only one formalism � supporting refinement But it does not support timed characteristics 6

II. The Proposed Process ... 1. Requirements elicitation Create a valid UML description of the required system 2. Formal specification Derive a B formal specification from UML diagrams 3. Analysis and verification Generate proof obligations and prove them 7

III. From Requirements to UML ... A railway level crossing system [JS’00] 8

Requirements elicitation sequence diagrams ... Scenario of an approaching train aTrain:TrainborneCS aLC:LevelCrossingCS :VehicleSensor :Barrier yellowLight:Light redLight:Light :BarrierSensor detectTrain(Arriving) ackRequest {t=now} [yellowLight.state=Off]switchOn() {t .. t+3sec} [redLight.state=Off]switchOn() [yellowLight.state=On]switchOff {t .. t+12sec} [theBarrier.state=Opened]closeBarrier() receiveAck getBarrierStatus {t'=now} [bSensor.status=Closed and t'-t<=6sec] setMode(Safe) [bSensor.status<>Closed or t'-t>6sec] setMode(Unsafe) 9

Requirements elicitation state diagrams ... State diagram of the LCC system Activated trainDetectionEntry timeOut_1 / redLightOn() / yellowLightOn() Red Yellow Deactivated LightOn LightOn deactivate timeOut_2 trainDetectionRear / closeBarrier() repair Closed / openBarrier() [bSensor.status=Closed] failure / setMode(Safe) Opening Barrier Closing Failure Barrier [bSensor.status=Opened] / setMode(Unsafe) timeOut_3 10

Requirements elicitation main safety properties ... OCL invariants and pre/post-conditions context LCC_System inv 1: self.theBarrier.state=Closed implies self.redLight.state=On and self.theBarrier.state=Closing implies self.yellowLight.state=On and self.yellowLight.state=Off and self.redLight.state=Off implies self.theBarrier.state=Open inv 2: self.state=Activated and self.bSensor.state=Open implies self.mode=Unsafe inv 4: self.bSensor.state=Open and self.theBarrier.state=Closed implies self.mode=Unsafe context LCC_System :: openBarrier pre: self.theBarrier.state=Closed and self.mode=Safe post: self.theBarrier.state=Open 11

IV. From UML to B … mapping UML diagrams into B formal specifications Formal semantics for UML/OCL Why B ? UML : collections of objects ↔ B : sets How ? Transformation rules of UML/OCL into B B formal specification Translation B formal specification UML/OCL model Translation UML/OCL model rules rules Diagrams and Constraints Abstract Machines OCL → B OCL → B Ass ij invariant Class i Class j class i ⊆ CLASS i state i ∈ class i → state i operations context Class i::operation(arg:Type) oper1( ); … operN( ); pre: predicate (class i, arg) a(args) == pre {} then {} ; post: predicate (class j, arg) 12

UML → B formalization of class diagrams ... UML: Barrier BarrierSensor Controller TrainDriver 1 1 state : bSTATE * * status: bSTATE sensor close() getBarrierStatus() open() 1 theBarrier 1 OperationPanel OnboardPanel bSensor 1 LevelCrossingControl TrainborneControl OperationsCenter 1 state : STATE Light state : tSTATE redLight oc oc mode : {Safe,Unsafe} applyBreaks() state : LIGHTstate closeBarrier() 1 continueRun() switchOn() train_oc openBarrier() yellowLight lcc_oc getStateLC() switchOff() * * yellowLightOnt() releaseBreaks() lc train redLightOn() receiveAck() trainDetectEntry() downSpeed() 1 lc VehicleSensor train trainDetectRear() upSpeed() rear yellowLightOff() askAck() 0..1 lcc_train 0..1 redLightOff() standStill() sendSignal() 13

UML → B formalization of class diagrams ... Translation of a class: openBarrier ( obj ) = MACHINE Barrier obj ∈ barrier ∧ bState ( obj ) = Closed PRE USES BarrierSensor THEN SETS BARRIER bState ( obj ) := Opened VARIABLES barrier , bState END ; INVARIANT closeBarrier ( obj ) = barrier ⊆ BARRIER ∧ obj ∈ barrier ∧ bState ( obj ) = Opened bState ∈ barrier → bSTATE PRE THEN INITIALISATION barrier , bState := ∅ , ∅ bState ( obj ) := Closed OPERATIONS END ; 14

UML → B formalization of class diagrams ... Part of the B specification – Machine LCC_System: MACHINE LCC_System SETS LCC ; STATE ={ Deactivated , ShowingYlight , ShowingRlight , ClosingB , OpeningB , ClosedB , Failure }; MODE ={ Safe , Unsafe } INCLUDES Barrier , BarrierSensor , Red.Light , TrainborneCS , Yellow.Light VARIABLES lcc , lcc_barrier , lcc_sensor , state , redLight , yellowLight , lcc_train , mode INVARIANT lcc ⊆ LCC ∧ lcc_barrier ∈ lcc → barrier ∧ lcc_sensor ∈ lcc → bSensor ∧ state ∈ lcc → STATE ∧ redLight ∈ lcc → Red.light ∧ yellowLight ∈ lcc → Yellow.light ∧ lcc_train ∈ lcc train ∧ mode ∈ lcc → MODE ∧ ... 15

UML → B formalization of state diagrams ... Machine LCC_System – operations: OPERATIONS timeOut_1_showRlight ( obj ) = obj ∈ lcc ∧ PRE timeOut_3_setMode ( obj ) = state ( obj ) = ShowingYlight ∧ obj ∈ lcc ∧ PRE bStatus ( lcc_sensor ( obj )) = Opened ∧ state ( obj ) = ClosingB ∧ bState ( lcc_barrier ( obj )) = Opened ∧ Red.lState ( redLight ( obj )) = Off ∧ bState ( lcc_barrier ( obj )) = Closed ∧ Yellow.lState ( yellowLight ( obj )) = On Red.lState ( redLight ( obj )) = On ∧ THEN Yellow.lState ( yellowLight ( obj )) = Off state ( obj ) := ShowingRlight || THEN Yellow.switchOff ( yellowLight ( obj )) || SELECT bStatus ( lcc_sensor ( obj )) = Closed THEN Red.switchOn ( redLight ( obj )) state ( obj ) := ClosedB || END ; mode ( obj ) := Safe timeOut_2_closeBarrier ( obj ) = WHEN bStatus ( lcc_sensor ( obj )) = Opened THEN obj ∈ lcc ∧ PRE state ( obj ) := Failure state ( obj ) = ShowingRlight ∧ ELSE skip Red.lState ( redLight ( obj )) = On ∧ END Yellow.lState ( yellowLight ( obj )) = Off END ; THEN … state ( obj ) := ClosingB || closeBarrier ( lcc_barrier ( obj )) END ; 16

UML → B formalization of OCL constraints ... Machine LCC_System – invariant: ∀ obj . ( obj ∈ lcc ∧ bState ( lcc_barrier ( obj )) = Closed ⇒ Red.lState ( redLight ( obj )) = On ) ∧ ∀ obj . ( obj ∈ lcc ∧ bState ( lcc_barrier ( obj )) = Closing ⇒ Red.lState ( yellowLight ( obj )) = On ) ∧ ∀ obj . ( obj ∈ lcc ∧ Yellow.lState ( yellowLight ( obj )) = Off ∧ Red.lState ( redLight ( obj )) = Off ⇒ bState ( lcc_barrier ( obj )) = Opened ) ∧ ∀ obj . ( obj ∈ lcc ∧ state ( obj ) ∈ Activated ∧ bStatus ( lcc_sensor ( obj )) = Opened ⇒ mode ( obj ) = Unsafe ) ∧ ∀ obj . ( obj ∈ lcc ∧ bStatus ( lcc_sensor ( obj )) = Opened ∧ bState ( lcc_barrier ( obj )) = Closed ⇒ mode ( obj ) = Unsafe ) 17

IV. From UML to B translating times features into extended B ... Classical B � Specifying a clock abstract machine � Defining abstract variables holding the times Time extended B with timed substitutions � Semantic extension of B substitutions : → Derivative of Duration Calculus (WDC*) 18