The UniForM Workbench supports combination of Formal Methods (on a solid logical foundation), provides tools for the development of hybrid, real-time or reactive systems, transformation, verification, validation and testing. Moreover, it...

This article focuses on test automation for safety-critical reactive systems. In the first part of the paper we introduce a methodology for specification, design and verification of fault-tolerant systems allowing to combine different methods in a systematic and consistent way, provided that these methods are compositional. The methodology indicates how to "switch" between formal verification and testing during the construction of (possibly large) reactive systems. We introduce the basic notions of testing as far as relevant in the context of reactive systems and relate them to the verification methodology. Part II formally describes our test automation method which is based on Hoare's CSP and takes Hennessy's testing theory as a starting point. It is indicated how this specific method fits into the general approach described in Part I. We introduce CSP test drivers which are trustworthy in the sense that they "approximate" refinement proofs, converging to a full proof with the increas...

In this paper we report on the use of a new method for quality assurance of safety-critical software in aerospace applications. The power and thermal control unit (PTC) of the X-ray satellite "Abrixas", developed by OHB System GmbH, Bremen, was analysed with this new formal method. On the basis of formal specifications we automatically generated and executed test sequences for the reactive behaviour of the controller. We checked the full functionality of the PTC, including real-time and hybrid properties, user interaction, stress- and long-term behaviour, and fault tolerance. Our tool VVT-RT generated an extensive coverage of test sequences for these properties. The tests were then automatically performed and evaluated, using the original hardware in a simulation environment. Due to the universality of VVTRT, only little effort was necessary to set up the interfaces. Thus, even though we achieved a higher test coverage, the overall costs of the validation were much lower than with comp...

The intention of this paper is to emphasize the importance of employing formal methods for the design of robotic systems. After a brief survey of current research in this area, a set of requirements is discussed that formal development process should ful l. As an extended example, a general veri cation approach for reactive systems is described in detail. It is based on a CSP speci cation of a fault tree that observes the behaviour of the target system. A template for the modelling of fault tree leaves and nodes is given, and it is instantiated by a \real{world" application taken from the eld of mobile robotics.

. In this article, we describe an approach for the tool-supported development and verification of fault-tolerant systems according to the invent&verify paradigm. Our method is based on the CSP (Communicating Sequential Processes) specification language. It allows the desired properties of a system to be expressed as implicit specifications (assertions about traces and refusals), explicit specifications (CSP process terms), refinement relations or combinations of these three description formalisms. From our experience with industrial verification projects, this possibility to choose between different specification paradigms according to the specific needs of each development step is essential to cope with large-scale formal development and verification projects. Each topdown development step according to the invent&verify paradigm introduces a verification obligation whose type depends on the specification techniques applied for the different components involved in the step. We describe...

Today's critical systems increasingly rely on computers and software. However, market pressure, problems in the application of formal methods, and ineffective traceability techniques may all exacerbate the difficulty of applying adequate assurance techniques to the design and development of safe and trustworthy systems. Necessity dictates that engineers target critical sections that require formal verification and high reliability. To achieve this objective, we need to implement and maintain linking relationships among system work products and be able to propagate criticality of requirements to subsequent work products. We successfully implemented traceability between an informal requirements document and its formal specification using two new XML-derived markup languages. We addressed the issues of specifying and propagating criticality of requirements and consistency of this determination within and between work products.

) Jan Peleska Universitat Bremen, Technologiezentrum Informatik TZI, jp@tzi.org Cornelia Zahlten Verified Systems International GmbH, Bremen, cmz@verified.de Introduction. In this article, we give an overview about typical objectives and problems to be encountered when testing embedded systems in avionics or space technology. The overview is based on experiences gained during (1) the verification and test of the DMS-R FTC fault-tolerant computer system developed by Daimler-Chrysler Aerospace for the International Space Station ISS (see [6, 1]), (2) the test of the PTC Power and Thermal Controller for the ABRIXAS satellite developed by OHB and (3) an automated test system currently developed for the test of the Airbus CIDS Cabin Intercommunication Data System Family developed by DaimlerChrysler Aerospace Airbus, (K.I.D.-Systeme). In these projects, automated tests were performed using the RT Tester tool (formerly called VVT-RT) developed by Verified Systems International in collabo...

The RT-Tester tool has been developed by Verified Systems International in cooperation with the TZI at Bremen University in order to support automated testing for reactive real-time systems. In this article, we give an overview on theoretical issues concerning variants of timed transition systems and their interpretation in hard real-time which have been stimulated by the practical requirements of automated test generation, execution and on-the-fly evaluation. We sketch future developments with the objective to include testing of hybrid systems into our theoretical framework and in the tool architecture of RT-Tester.

The two dependability means considered in this paper are rigorous design and fault tolerance. It can be complex to rigorously design some classes of systems, including fault tolerant ones, therefore appropriate abstractions are needed to better support system modelling and analysis. The abstraction proposed in this paper for this purpose is the notion of operation mode. Modes are formalised and their relation to a state-based formalism in a refinement approach is established. The use of modes for fault tolerant systems is then discussed and a case study presented. Using modes in state-based modelling allows us to improve system structuring, the elicitation of system assumptions and expected functionality, as well as requirement traceability.

We propose a pragmatic approach to overcome some difficulties arising in the practical usage of formal specification techniques. We argue that the transition from informal requirements to a formal specification should not be made too early, that it is not necessary to formally specify every detail, that different formalisms should be combined where appropriate, and that sometimes it may be useful not to adhere to limitations imposed by the formal specification language. This pragmatic approach also helps to deal with legacy systems. 1 INTRODUCTION In theory, the advantages of formal specifications over conventional methods are well known: The problem is analyzed in more detail and thus better understood. The formal specification is an unambiguous and (hopefully) complete starting point for the implementation of the system. The formal specification documents the behavior of the system. It can be used to choose test cases and to determine if the results of the test cases coincide with t...