This paper presents initial results in a comparative study of formal and conventional techniques in the design of a secure system component: a trusted gateway. The operation of a trusted gateway is briefly introduced. The industrial context of its development is described, as is the form of the experiment. So far, part-formal and conventional design specifications have been produced for the trusted gateway from a common informal requirements document. As part of this process, queries have been raised against the informal requirements. These have been carefully logged, and form the subject of a preliminary analysis presented here. These first results suggest that the use of a formal specification language (in this case VDM-SL) leads to an an increased number of queries, and a bias in the specifier's concerns towards data rather than design issues.

This paper discusses the use of formal methods in the development of the control system for the Maeslant Kering. The Maeslant Kering is the movable dam which has to protect Rotterdam from floodings while, at (almost) the same time, not restricting ship traffic to the port of Rotterdam. The control system, called BOS, completely autonomously decides about closing and opening of the barrier and, when necessary, also performs these tasks without human intervention. BOS is a safety-critical software system of the highest Safety Integrity Level according to IEC 61508. One of the reliability increasing techniques used during its development is formal methods. This paper reports experiences obtained from using formal methods in the development of BOS. These experiences are presented in the context of Hall's famous "Seven Myths of Formal Methods".

This article describes an implementation of real-time simulation and control in DEVS-Scheme, a knowledge-based, discrete event environment. We illustrate a methodology in which the plant, its actuators and sensors are described by discrete event models developed within the event-based control paradigm. A model of the controller is employed to validate its design in a plant/actuator/sensor experimental frame. The same model configuration is then employed for actual control operation by connecting the simulation executive, suitably modified, to a programmable controller that interfaces to the real plant/actuator/sensor system. We show how this methodology is supported by real-time interpretation of the DEVS (Discrete Event System Specification) formalism. A lower bound on the processing speed of a non-deterministic operating system relative to scheduled event times is derived which guarantees correct control timing. We show how the DEVS-based control can be distributed in a hierarchical ...

This document presents a full version of the formal semantics of data ow diagrams reported in [Larsen&93]. Data Flow Diagrams are used in Structured Analysis and are based on an abstract model for data flow transformations. The semantics consists of a collection of VDM functions, transforming an abstract syntax representation of a data flow diagram into an abstract syntax representation of a VDM specification. Since this transformation is executable, it becomes possible to provide a software analyst/designer with two `views' of the system being modeled: a graphical view in terms of a data flow diagram, and a textual view in terms of a VDM specification. The specification presented in this document have been processed by The IFAD VDM-SL Toolbox [Lassen93] and the LATEX output is produced directly by means of this tool. The complete transformation has been syntax-checked, type-checked and tested using the IFAD VDM-SL Toolbox [Lassen93]; this has given us confidence that the transformation...

We make an attempt to use concepts of the OMT analysis stage to develop formal object-oriented specifications in the TROLL language. The purpose is twofold: on the one hand, ambiguities, vaguenesses, etc. in OMT (and other OOA approaches) can be discovered and eliminated easier; furthermore, clear semantics can be given to modeling constructs. On the other hand, a popular notation on top of a formal OO specification language helps in making such a language more usable in practice. After introducing briefly TROLL concepts, we analyze the OMT models and identify corresponding TROLL concepts. Finally, we introduce a modified graphical notation based on this analysis. 1 Introduction In the past few years, there has been considerable activity in the area of object-oriented (OO) analysis and of OO formal specification. OO analysis methods like OMT [RBP + 91], life cycle analysis [SM92] and Objectory [JCJ O92] have been proposed mainly with a background in software development practice. O...

FODAcom is a customization of the FODA domain analysis method for the Italian telecommunications authority, for application within its IT2000 restructuring program. This paper describes recent experience gained in the application of the method within a business unit of Telecom Italia. Three analysis models that were constructed for the Service Provisioning Control (SPC) domain are presented and discussed. Requirements templates, intended for reuse of user requirements across system releases, are also presented and discussed, together with FODAcom's domain evolution strategy.

The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange. FOR THE COMMANDER (signature on file)

This paper discusses a technique for modeling discontinuous physical systems that combines the bond graph energy-flow modeling scheme with a signal-flow modeling scheme augmented with finite state automata. It enables the generation of complex, multi-mode behaviors without violating the energy flow principles imposed by bond graphs. Mode switching is achieved by controlled junctions which can take on one of two states: on and off. The control function of the junctions can be specified as state transition graphs or tables. The modeling methodology presents a common framework for modeling abrupt switching elements, piecewise linear components, and subsystems that undergo behavior mode changes. 1 Introduction Recent advances in model-based and qualitative reasoning have led to researchers developing large scale models of complex, continuous systems, such as steam powered plants, aircraft, space shuttle, and space station sub-systems. Complex systems often operate in multiple modes, whe...

We present a design method (HASoC) for the lifecycle modelling of embedded systems that are targeted primarily, but not necessarily, at SoC implementations. The object-oriented development technique is based on our experiences of using an existing modelling technique (MOOSE) and supports a lifecycle that explicitly separates the behaviour of a system from its hardware and software implementation technologies. The design process, which uses a UML-RT-based notation, begins with the incremental development and validation of an executable model of a system. This model is then partitioned into hardware and software to create a committed model, which is mapped onto a system platform. The methodology emphasises the reuse of preexisting hardware and software platforms to ease the development process. An example application is presented in order to illustrate the main concepts in HASoC.

. This paper presents a conceptual toolbox for software specification and design that contains techniques from structured and objectoriented specification and design methods. The toolbox is called TRADE (Toolkit for Requirements and Design Engineering). The TRADE tools are used in teaching informatics students structured and object-oriented specification and design techniques, but the toolkit may be of use to practicing software engineers as well. The conceptual framework of TRADE distinguishes external system interactions from internal components. External interactions in turns are divided into external functions, behavior and communication. The paper shows that structured and OO analysis offer a small number of specification techniques for these aspects, most of which can be combined in a coherent software design specification. It is also shown that the essential difference between structured and object-oriented software design approaches lies in the separation of data storage, data ...