Formal verification and validation of run-to-completion style state charts using Event-B
Formal verification and validation of run-to-completion style state charts using Event-B
State chart notations with ‘run to completion’ semantics are popular with engineers for designing controllers that react to environment events with a sequence of state transitions but lack formal refinement and rigorous verification methods. State chart models are typically used to design complex control systems that respond to environmental triggers with a sequential process. The model is usually constructed at a concrete level and verified and validated using animation techniques relying on human judgement. Event-B, on the other hand, is based on refinement from an initial abstraction and is designed to make formal verification by automatic theorem provers feasible. Abstraction and formal verification provide greater assurance that critical (e.g. safety or security) properties are not violated by the control system. In this paper, we introduce a notion of refinement into a ‘run to completion’ state chart modelling notation and leverage Event-B’s tool support for theorem proving. We describe the difficulties in translating ‘run to completion’ semantics into Event-B refinements and suggest a solution. We illustrate our approach and show how models can be validated at different refinement levels using our scenario checker animation tools. We show how critical invariant properties can be verified by proof despite the reactive nature of the system and how behavioural aspects of the system can be verified by testing the expected reactions using a temporal logic, model checking approach. To verify liveness, we outline a proof that the run to completion is deadlock-free and converges to complete the run.
Event-B, Refinement, Run to completion, State charts
523-541
Morris, K.
840d0e33-3782-45b8-921f-e644f3255059
Snook, C.
b2055316-9f7a-4b31-8aa1-be0710046af2
Hoang, T. S.
dcc0431d-2847-4e1d-9a85-54e4d6bab43f
Hulette, G.
fea06d59-b391-40e2-b72d-b8f219baa59d
Armstrong, R.
c1cf75df-a0d8-4416-a8b8-3b75736ff8aa
Butler, M.
54b9c2c7-2574-438e-9a36-6842a3d53ed0
December 2022
Morris, K.
840d0e33-3782-45b8-921f-e644f3255059
Snook, C.
b2055316-9f7a-4b31-8aa1-be0710046af2
Hoang, T. S.
dcc0431d-2847-4e1d-9a85-54e4d6bab43f
Hulette, G.
fea06d59-b391-40e2-b72d-b8f219baa59d
Armstrong, R.
c1cf75df-a0d8-4416-a8b8-3b75736ff8aa
Butler, M.
54b9c2c7-2574-438e-9a36-6842a3d53ed0
Morris, K., Snook, C., Hoang, T. S., Hulette, G., Armstrong, R. and Butler, M.
(2022)
Formal verification and validation of run-to-completion style state charts using Event-B.
Innovations in Systems and Software Engineering, 18 (4), .
(doi:10.1007/s11334-021-00416-4).
Abstract
State chart notations with ‘run to completion’ semantics are popular with engineers for designing controllers that react to environment events with a sequence of state transitions but lack formal refinement and rigorous verification methods. State chart models are typically used to design complex control systems that respond to environmental triggers with a sequential process. The model is usually constructed at a concrete level and verified and validated using animation techniques relying on human judgement. Event-B, on the other hand, is based on refinement from an initial abstraction and is designed to make formal verification by automatic theorem provers feasible. Abstraction and formal verification provide greater assurance that critical (e.g. safety or security) properties are not violated by the control system. In this paper, we introduce a notion of refinement into a ‘run to completion’ state chart modelling notation and leverage Event-B’s tool support for theorem proving. We describe the difficulties in translating ‘run to completion’ semantics into Event-B refinements and suggest a solution. We illustrate our approach and show how models can be validated at different refinement levels using our scenario checker animation tools. We show how critical invariant properties can be verified by proof despite the reactive nature of the system and how behavioural aspects of the system can be verified by testing the expected reactions using a temporal logic, model checking approach. To verify liveness, we outline a proof that the run to completion is deadlock-free and converges to complete the run.
Text
Morris2022_Article_FormalVerificationAndValidatio
- Version of Record
More information
Accepted/In Press date: 15 August 2021
e-pub ahead of print date: 4 March 2022
Published date: December 2022
Additional Information:
Funding Information:
Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the US Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525.
Publisher Copyright:
© 2022, National Technology & Engineering Solutions of Sandia, LLC.
Copyright:
Copyright 2022 Elsevier B.V., All rights reserved.
Keywords:
Event-B, Refinement, Run to completion, State charts
Identifiers
Local EPrints ID: 457537
URI: http://eprints.soton.ac.uk/id/eprint/457537
ISSN: 1614-5046
PURE UUID: 6fd0cab2-e0ca-4a93-993f-ee958eb5ac34
Catalogue record
Date deposited: 10 Jun 2022 16:41
Last modified: 18 Mar 2024 03:32
Export record
Altmetrics
Contributors
Author:
K. Morris
Author:
C. Snook
Author:
T. S. Hoang
Author:
G. Hulette
Author:
R. Armstrong
Author:
M. Butler
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics