translating interlocking models: from xuml to mcrl2 and back · 2015-06-02 · intro xuml safety...

Intro xUML Safety Properties mCRL2 Translation Automation Conclusion

Translating Interlocking Models:

From xUML to mCRL2 and Back

Helle Hvid Hansen

Eindhoven University of Technology

FMCO, 29 November 2010, Graz, Austria.

Helle Hvid Hansen Translating Interlocking Models


Formal Verification in INESS

York: theorem proving (via SPEC#).

Southampton: model refinement, theorem proving (viaUML-B, Event-B).

Eindhoven and Twente (LaQuSO): model checking.

...using existing tools:

mCRL2: formal specification language, explicit statemodel checking.

LTSmin: symbolic model checking(more in next talk by J.Ketema).



This talk:

A tool chain for translating and model checking interlockingspecifications.

Joint work:

Eindhoven University of Technology:HHH, Bas Luttik, MohammadReza Mousavi.

University of Twente: Jeroen Ketema, Jaco van de Pol.

University of York: Osmar Marchi dos Santos.



Model Checking Tool Chain

Interlocking model(xUML)

Track layout specification

Safety properties model(xUML)

Safety propertiesinstance specification

Automated Translation(Epsilon)

Formal model(mCRL2 spec)

Model checking(mCRL2, LTSmin)

Error trace(mCRL2 format)

Trace visualisation(Epsilon)

Visualised trace(UML sequence diagram)

“No errors found”



Overview

xUML interlockings (brief recap)

Safety properties as UML state machines.

The mCRL2 specification language.

Translation from xUML to mCRL2 and back.

Automation via model transformation (Epsilon)



xUML Interlocking Constructs

Class diagrams:

Inheritance,

Associations between classes,

Derived attributes (like macro expression).

State machine diagrams:

Concurrent and composite states (AND- and OR-states).

Initial pseudo-states (no history, no final pseudo states).

States with entry and exit actions.

Transitions (possibly with guard) triggered bysignal event, timeout event, or change event.



Example: Class Diagram

route

id/proceed_conditions_ok := ..../is_established := ...

point

/at_left := in_state(#working.left)/at_right := in_state(#working.right)/is_locked := exists (L_routes UNION R_routes) is_true /is_established

HAL device

track signal

id

/is_free := ...

routes routes

*

*

*

tracks left_points right_points*

R_routesL_routes * *

entry_signal1*



Example: State Machine Diagram Route



Safety Properties of Interlockings

Expressed in natural language, e.g.S 0001: “A locked point shall never move”.

Often expressed in terms of system state.

Often involves several objects, e.g.S 0002: “The entry signal of an established route shallnever display proceed when one of its tracks is occupied”



Safety Property as Observer State Machine

Idea:

State machine observes system state.

Transitions are triggered by change events.

If violation is detected, then send error message andcause system to deadlock.

Find safety violations via deadlock detection (or searchingfor error action).

Pros and Cons:

+ facilitate discussions with xUML modeller, railways, ...(no need to understand mCRL2, modal formulas).

+ reuse of automated translation.

� observer state machine subject to same semantics asxUML interlocking model.



Safety Properties xUML Model

Use similar constructs as xUML interlocking model.A particular safety property is specified by a class.Translate as if specialisation of observed class.

AbstractStateObserver

id : StringObservedObjectName : StringObservedClassName : String/triggered : DerivedAttribute

S_0001 S_0002

/all_tracks_free : DerivedAttribute/proceed : DerivedAttribute

<<signal>>violation




start

triggered

when(/triggered) / send violation(property := id)


/ id := pid



StateObserver S 0001

Define condition /triggered:

running

S_0001

ObservedClassName := “Point”;/triggered := /is_locked and in_state(#working.moving);



StateObserver S 0001

Uses attributes and associations of observed object:

running

S_0001

ObservedClassName := “Point”;/triggered := /is_locked and in_state(#working.moving);

Derived attribute in Point

State in Point state machine



The mCRL2 Specification Language

Informally, mCRL2 is process algebra (ACP) plus data.

Built-in data types: integers, booleans, lists, ...

Abstract data types: E.g.sort Identifiers = struct X | Y | Z ;

Maps and equations, e.g.

map square_of_sum: Int # Int -> Int;

var x,y: Int;

eqn square_of_sum(x,y) = (x+y) * (x+y);

Actions:without data : act a,b,tick;

with data: act send,read : Nat;

e.g. send(2).




Sequential processes are built from:

actions,

sequential composition, e.g. A.B,

alternative composition (nondet. choice), e.g. A + B,

cond -> A <> B (“if cond then A else B”)

recursion, e.g.proc A(x:Int) = (x < 3) -> A(x+1) <> A(0);

summation over data: e.g. sum x:Int . A(x)




Parallel processes and communication:

parallel composition: A || B

e.g. a||b = a.b + b.a + a|b

multi-party synchronisation (multi-actions):e.g. comm({a|b|c -> d}, A)

blocking/allowing actions:can be uses to enforce communication.E.g. allow({d},comm({a|b|c -> d}, a||b||c))

behaves like d, (a,b,c,a|b,a|c and b|c are blocked)



Translation from xUML to mCRL2

From class to process type:

Inheritance: behaviour of X is concurrent composition ofstate machines from superclasses of X (incl. X itself).

Composite states represented by enumerated datatype.

Concurrent states become product of states.

Messages associated with events (enumerated datatype).

Derived attributes are expanded.



Translating Objects

UML 2.2 Semantics: Object behaviour

Objects communicate asynchronously(signals are stored in bu↵ers)

Object execution loop: get signal from bu↵er, firetransitions,update state, get signal ...

Run-to-completion: all behaviour triggered by a signalmust complete before reacting to next signal.

Object process is parallel composition of

Bu↵er process (event pool),

State machine process.



Example: State machine track



States for track

sort track_States = struct track__ready_substate;

track__ready_States = struct

track__ready_free_substate

| track__ready_occupied_substate

| track__ready_startup_substate

| track__ready_nop;

State machine process of instance t1 of class track:(Track has generalisation HAL_device)

proc track_t1(HAL_device_state : HAL_device_States,

track_state : track_States,

track__ready_state : track__ready_States)

= ...



Bu↵er Process for track

sort track_Messages = struct

dv_free_track

| dv_occupied_track;

proc track_Buffer_t1(

message_buffer: List(track_Messages))

=

(#message_buffer < max_buffer_size) ->

sum m:track_Messages. sum sender:Identifiers.

receive_from_system(sender, t1, m).

track_Buffer_t1(message_buffer <| m)

+ (#message_buffer > 0) ->

send_to_component(t1, head(message_buffer)).

track_Buffer_t1(tail(message_buffer));



State Machine Process track

Execution cycle:

proc track_t1(...) =

receive(t1,dv_free_track).

((track_state == track__ready_substate) ->

send_to_environment(

t1,i_track_status_free_track_environment).

track_t1(HAL_device_state,

track_state,

track__ready_free_substate)

<>


track_state,

track__ready_state)

)

+ ...



Object Process for Track

Object process is parallel composition:

proc track_Complex_t1

=

block({send_to_component, receive_from_buffer},

comm({send_to_component|receive_from_buffer

-> message_to_component},

track_Buffer_t1([])

||

track_t1( HAL_device__normal_substate,

track__ready_substate,

track__ready_startup_substate)

)

);



Translating Transition Guards

Example: Transition in point (from state working.right)with guard /is_locked (i.e. in one of its routes/is_established is true))Communicate to get data from route processes.E.g. p1 has routes r1 and r2:

(point__working_state == point__working_right_substate) ->

(sum r1_var:Bool. sum r2_var:Bool.

condition_data_p1_1_consumer(r1,r1_var)

| condition_data_p1_1_consumer(r2,r2_var).

(r2_var || r1_var) ->

... % fire transition

<>

... % guard was false

...Helle Hvid Hansen Translating Interlocking Models


Translating Change Events

UML 2.2 semantics does not specify

when change expressions are evaluated.

whether a change event remains after its changeexpression changes from true to false.

We translate Swhen(cond)/

//S 0

like guarded transition without trigger:evaluate change expression using multi-transition.

change event is not stored in bu↵er.



Translating Time Events

We assume actions take place in zero time )time events can take place at any moment.

timeout action act tick: Identifiers;

indicates time event.

E.g. in process for track t1:

+

(track__ready_state == track__ready_startup_substate) ->

tick(t1).

send_to_environment(t1,i_track_status_free_track_environment).


track_state,

track__ready_free_substate)

...



Translation: from xUML to mCRL2 and back

Translation:1 from xUML to mCRL2 (obtain formal model):

input: xUML model instance + safety property instance.

output: mCRL2 specification.

2 from mCRL2 to UML (trace visualisation):input: error trace

output: UML sequence diagram.



Visualised Trace Example



Automated Translation from xUML to mCRL2

Implemented using model transformation tool Epsilon(Eclipse-based).



Internal model: iUML model

Restructured xUML model:

State hierarchy: tree structure of AND- and OR-states.

State machines are “flattened” (e.g. if source state isOR-state in which substates have di↵erent exit actions).

Objects:Instantiation of expressions and action language.

E.g. in route class: send L points.move left

instantiates in r2 as send move left to p1.

Process data: augmentation of xUML data



iUML Model with Observers

Interlocking model(xUML)

Track layoutspecification

Observer model(xUML)

Observer instancespecification

Interlocking classes(attributes and state machines)

Observer classes(attributes and

state machines)

Interlocking objects(instantiated attributes

and actions)

Observer objects(instantiated attributes

and actions)

Observed objects(IL object plus

observer object)

Process types(messages,

transition groups)

Object processes(instantiated guards

and actions)

iUML model

attr ObservedObjectName



Conclusion

We have demonstrated:

Model safety properties as xUML state machines.

Automatically translate interlocking model and safetyproperties from xUML to mCRL2.

Error trace visualised as UML sequence diagram.

Violations of S_0001 and S_0002 found bydeadlock/error action detection in toy example.Remark: toy example is expected not to be safe (toosimplistic).



Future Work

Extend translation to deal with more complex models:call actions, and other action language elements.

Extend translation to other target languages.

How to formalise trace properties (rather than state):xUML action observers?

Tune translation to use less memory, ... (in order to verifylarge models).


translating interlocking models: from xuml to mcrl2 and back · 2015-06-02 · intro xuml safety...

Documents