this article.

Abstract—ASTRAL is a formal specification language for realtime systems. It is intended to support formal software development and, therefore, has been formally defined. The structuring mechanisms in ASTRAL allow one to build modularized specifications of complex systems with layering. A realtime system is modeled by a collection of state machine specifications and a single global specification. This paper discusses the rationale of ASTRAL’s design. ASTRAL’s specification style is illustrated by discussing a telephony example. Composability of one or more ASTRAL system specifications is also discussed by the introduction of a composition section, which provides the needed information to combine two or more ASTRAL system specifications. Index Terms—Formal methods, formal specification and verification, assertions, temporal logic, realtime systems, timing

Software process is how an organization goes about developing or maintaining a software system. It is the methodology employed when people use machines, tools, and artifacts to create a product. Recent work has applied formal modeling to software process, with the hope of reaping the benefits of unambiguous and analyzable formalisms. Yet industry has been slow to adopt formal model technologies. Two reasons are that it is costly to develop a formal model and, once developed, there are no methods to ensure that the model indeed reflects reality. This thesis develops techniques for process event data analysis that help solve these two problems, which are termed process discovery and process validation. For process discovery, event data captured from an on-going process is used to generate a formal model of process behavior. To do this, results from the field of grammar inference are applied, and a new method is also developed. The methods are shown to be efficient and practical to use in...

To a great extent, the usefulness of a formal model of a software process lies in its ability to accurately predict the behavior of the executing process. Similarly, the usefulness of an executing process lies largely in its ability to fulfill the requirements embodied in a formal model of the process. When process models and process executions diverge, something significant is happening. We are developing techniques for uncovering discrepancies between models and executions under the rubric of process validation. Further, we are developing metrics for process validation that give engineers a feel for the severity of the discrepancy. We view the metrics presented here as a first step toward a suite of useful metrics for process validation.

this paper.

ASTRAL is a formal specification language for realtime systems. It is intended to support formal software development, and therefore has been formally defined. This paper focuses on how to formally prove the mathematical correctness of ASTRAL specifications. ASTRAL is provided with structuring mechanisms that allow one to build modularized specifications of complex systems with layering. A realtime system is modeled by a collection of process specifications and a single global specification. Each process specification consists of a sequence of levels; each level is an abstract data type view of the process being specified. In this paper further details of the ASTRAL refinement process, which were not fully developed in previous papers, are presented. Formal proofs in ASTRAL can be divided into two categories: inter-level proofs and intra-level proofs. The former deal with proving that the specification of level i+1 is consistent with the specification of level i, while the latter dea...

Reactive systems exhibit ongoing, possibly non-terminating, interaction with the environment. Real-time systems are reactive systems that must satisfy quantitative timing constraints. This paper presents a structured compositional design method for discrete real-time systems that can be used to combat the combinatorial explosion of states in the verification of large systems. A composition rule describes how the correctness of the system can be determined from the correctness of its modules, without knowledge of their internal structure. The advantage of compositional verification is clear. Each module is both simpler and smaller than the system itself. Composition requires the use of both model-checking and deductive techniques. A refinement rule guarantees that specifications of high-level modules are preserved by their implementations. The StateTime toolset is used to automate parts of compositional designs using a combination of model-checking and simulation. The design method is illustrated using a reactor shutdown system that cannot be verified using the StateTime toolset (due to the combinatorial explosion of states) without compositional reasoning. The reactor example also illustrates the use of the refinement rule.

Time drives our lives in a pervasive andconvulsive way. Itwas not always so� people, today as in the past, have very di erent feelings about time. Lunch{time seems to be a synchronous, clock driven, event for the employees of a large city, but it was absolutely asynchronous for the stone{age men, who were driven only

As technology progresses and computers become smaller, cheaper, and more powerful, they are increasingly relied on to guarantee the safety of human life and the environment. In most cases, it is not enough to merely provide such safety mechanisms, but is also critical to assure that they will be activated in time to prevent disasters. These real-time systems are found in both large-scale projects with highly visible consequences such as nuclear reactors and air traffic control systems as well as in consumer goods such as automobiles and smoke detectors. As more and more reliance is placed on real-time computing systems to perform critical and everyday functions, the need for formal methods to guarantee the correctness of these systems becomes crucial. Given the time

The IPTES toolset and methodology have been developed for supporting specifications, design and implementation of real time systems. Such systems are often used in safety critical applications and may thus require intensive testing and analysis before being released for their final use. The IPTES toolset provides analysis mechanisms based on execution and animation of specifications. Such capabilities may be enough for extensive analysis of many hard real-time systems. However, in some cases, part of the system may require additional analysis. New techniques for the analysis of temporal properties based on the IPTES formal kernel model (High-Level Timed Petri Nets) have been studied and developed within the IPTES project. This report describes a first prototype that automatically proofs temporal properties for High-Level Timed Petri Nets. It includes the description of the main design issued, an end-user manual and an experience report that describes the use of the prototype on some in...