MOISE
/
Timed-Altarica-To-Fiacre-Translator
mirror of http://172.16.200.102/MOISE/Timed-Altarica-To-Fiacre-Translator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
This project is a demonstrator tool, made by the MOISE project, that translates timed Altarica models into Fiacre models. Such translation allows to use model checkers such as Tina to prove properties. The project contains the translator tool.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
4.6 MiB
 
 
 
 
 
 
Tree: 18eb3f6047
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '18eb3f6047'
${ noResults }
Timed-Altarica-To-Fiacre-Tr.../doc/Rapport post-doc/2-sota.tex

173 lines
13 KiB
Raw Blame History

% State of the Art
\section{Modelling languages for Safety Analysis}
% modelling languages
In AltaRica, a system is expressed in terms of variables constrained
by formulas and transitions. Several versions of the language have
been defined (see for instance~\cite{arn00,prosvirnova2013altarica}).
Underlying mathematical model......
AltaRica will be described more deeply in Sec.~\ref{sec:altarica}.
% Tempora lproperties for safety
OpenAltarica~\citep{prosvirnova2013altarica} relies on propagation based variable update, but the order in which this propagation
takes place in determined at execution time. Technically, a fixpoint is computed. This new update
scheme does not increase much computation times but extends significantly the expressiveness of the
language. It makes it possible to handle looped systems, i.e. systems in which variables depend of each
other in a circular way. Another new feature of AltaRica 3.0 is the notion of guarded synchronization
that both increases the expressiveness and unifies transitions and synchronizations
Several model-based approaches have been proposed, each with their associated tooling, in order to cope with the complexity of analyzing sophisticated safety architectures and scenarios. However, rare are the languages that come equipped with tools that can perform formal analysis of timed models.
Figaro language~\citep{bouissou05} is an alternative language for failure propagation model which introduces time via stochastic events, while we express temporal constraints on the triggering of events. Figaro models can be analyzed with stochastic simulators which are relevant to assess performance of the system (e.g. an estimation of the false detection rate). As far as we know, there is no translation from Figaro to timed model checking tools in order to verify whether a software logic satisfies applicable deterministic timed requirements.
Several works have combined model-checking and AltaRica. The archetypal example is the MEC tool~\citep{mec5} that was developed at the same time as the language. More recently, Bozzano et al.~\citep{bozzano2012} have defined a transformation from AltaRica Dataflow to the symbolic model-checker NuSMV. While this tool does not support complex timing constraints, it offers some support for Dirac laws (and implicit priorities) by encoding an ad-hoc scheduler.
COMPASS uses the SLIM language, a subset of AADL, for modelling safety architectures. It can automatically generate fault trees, which can be evaluated to determine the probabilities of failures. The FDIR design process and analysis relies, for describing temporal events on fault propagation, on the so-called TFPM (Timed Failure Propagation Models)~\citep{bittner2014}.
AADL (Architecture Analysis and Design Language) is a multi-concerns modelling language dedicated to distributed real-time embedded systems~\cite{aadl}.
AADL has been enriched with several annexes to describe embedded system behvior; for instance, the Error Model V2 (EMV2) is an error annex that focuses on Safety analyses.
EMV2 offers a terminology and an ontology to capture key features of failure propagations, like permanent and transient errors events. EM2V supports AADL to PRISM export into a PRISM model, in order to process model-checking method using the Markov-Chain formalism~\cite{PRISM}; i.e. probabilistic model analysys. The PRISM input language is a simple, state-based language. We discuss furter the PRISM model-checker in sec.~\ref{modelsota}.
UPPAAL is a non-deterministic guarded command language with data types description language. It serves as a modeling or design language to describe system behavior as networks of
timed automata extended with data variables. A simulator and a model-checker are designed for interactive and automated analysis of system behavior by manipulating and solving constraints that represent the state-space of a system description.
Validating a FDIR approach in satellite architecture has been done in project AGATA~\citep{rugina09} by coupling simulation with model-checking, focusing significant part of the system and abstracted away the rest of it using UPPAAL~\cite{uppaal1997}.
\section{Safety Assessment on Temporal Properties}
% Who does that
Our approach provides a solution to
model safety timing constraints within AltaRica, also providing an
automatic transformation from Time AltaRica models in one of the
input formats of Tina, showing how two interesting
problems---computing ``timed cuts'' and bounding the convergence
latency of a node---can be reduced to a decidable model-checking
problem. %% TODO: Complete with FDIR results, and underline the needs filled.
Several works have combined model-checking and AltaRica, the
archetypal example being the MEC tool~\cite{mec5,griffault2004mec} that was
developed at the same time as the language. More recently, Bozzano
et al~\cite{bozzano2012} have defined a transformation from AltaRica
Dataflow to the symbolic model-checker NuSMV. While this tool does not
support complex timing constraints, it offers some support for Dirac
laws (and implicit priorities) by encoding an ad-hoc scheduler. The
use of symbolic model-checking techniques is interesting in the case
of models with a strong combinatorial blow up, like for instance model
HYDRAU of Sect.~\ref{sec:sect4}. Nonetheless, even though Tina also
includes BDD-based tools, no approaches allow to combine the advantages
of both realtime and symbolic model-checking techniques.
Other model-based approaches aim at assessing the dependability of safety-critical dynamic systems.
HiP-HOPS~\cite{papadopoulos2011engineering} is a tool for safety analysis that can generate automatically fault-trees and FMEA tables from extended system models, as well as perform quantitative analysis on fault trees and multi-objective optimisation of the system model.
In Pandora~\cite{walker2009pandora}, Temporal Fault Trees allow to model dynamic behaviours with temporal gates, while temporal laws are used for qualitative analysis.
This approach specifies directly the dynamic failure behaviour of components through a formalism for dynamic dependability, on the other side, using a model-based approach (e.g. modelling with AltaRica), the failure propagation mechanism is directly inferred by the analysis tool from the undelying model.
Realtime techniques are central to our approach. As we will see in Sect.\ref{sec:sect2}, we define an
extension of AltaRica, Time AltaRica, where timing constraints can be declared using {temporal laws} of the form \code{law (evt) = "[a,b]"}, with a
semantics inspired by Time Petri nets. As a result, we can apply on
Time AltaRica several state space abstractions techniques that have been
developed for ``timed models'', such as the use of DBM and state
classes~\cite{BRV04}. In a different way, Cassez et
al.~\cite{pagetti2004} have proposed an extension of AltaRica with
explicit ``clock variables'', inspired by Timed Automata, where clocks
are real-valued flow variables that can be used inside the guards of
events.
%%
% (Which means that there are restrictions on the type of equations
% one can use in the \code{assert} declaration of a node.)
%%
% They also define an algorithm to compile this extension into
% Uppaal~\cite{larsen1997uppaal}.
Their work is mainly focused on the verification of behavioural
properties and focuses on the encoding of urgency and priorities
between events, two notions that are naturally offered in
Fiacre. Also, our extension is less invasive. If we ignore the
\code{extern} declaration then we obtain valid AltaRica code. More
research is still needed to further the comparison between these two
approaches in the context of safety assessments.
Aside from these works on AltaRica, recent works
centred on combining failure propagation analysis and timing constraints,
define an automatic method for
synthesising \emph{Timed Failure Propagation Graphs} (TFPG), that is
an extension of the notion of cut-sets including information on the
date of events~\cite{bittner2016}. TFPG provide a condensed representation that is easier
to use than sets of timed cuts. Therefore, it would be interesting to
use this format in our case.
\section{Model-checking approach to safety assessment}
\label{modelsota}
Several model-checkers have been used in industrial or academic
projects to perform safety analysis. Besides Tina from LAAS, that we discuss further in Sect.~\ref{sec:tina},
UPPAAL, MEC, ARC, PRISM, and NuSMV are the model-checkers more widely used in this domain.
UPPAAL~\cite{uppaal1997} provides a model-checker. It is designed to check for invariant
and reachability properties. Other properties, such as bounded liveness
properties, can be checked by reasoning about the system
in the context of testing automata or simply decorating
the system description with debugging information and
then checking reachability properties. Model-checking is
performed by a module which takes as input
a network of automata in the textual UPPAAL format
and a formula.
Mec 5~\cite{mec5} is a model-checker for finite AltaRica models.
Properties are verified by testing that the set of states which violate the property is
empty. These properties are expressed in a specification language that allows the definition
of complex relations between different models, e.g. bisimulation.
The AltaRica Checker (ARC)\cite{arc} is a toolbox for the AltaRica language. ARC is aimed at model-checking systems described with AltaRica.
It also gathers several tools for the analysis or compilation of AltaRica models, like the support for Mec 5 specifications, translators for the LUSTRE language~\cite{Griffault06},
and a simulator for models decorated with stochastic informations.
PRISM~\cite{PRISM} is a probabilistic model checker used for formal modelling and analysis of systems that exhibit random or probabilistic behaviour.
It incorporates symbolic data structures and algorithms, based on BDDs (Binary Decision Diagrams) and MTBDDs (Multi-Terminal Binary Decision Diagrams)~\cite{KNP04b}. It also includes a discrete-event simulation engine, providing support for approximate/statistical model checking, and implementations of various different analysis techniques, such as quantitative abstraction refinement and symmetry reduction.
a model-checking tool for processing Markov-Chain. It supports different models such as Discrete Time Markov-Chain (DTMC) or Continuous Time Markov-Chain (CTMC).
It has been used to analyse systems from many different application domains.
NuSMV~\cite{nusmv} (New Symbolic Model Verifier) is a symbolic model checker, supporting verification techniques such as BDD-based and SAT-based techniques. It allows to check finite state systems against specifications in the temporal logic for CTL and LTL. The input language of NuSMV is designed to allow the description of finite state systems that range from completely synchronous to completely asynchronous. The NuSMV language (like the language of SMV) provides for modular hierarchical descriptions and for the definition of reusable components.
Besides, translators between these languages exist, in certain cases.
Even if generally the translation concerns subsets of the languages expressivity, it makes possible testing
tools and compare modelling techniques. Notable examples, are the AADL EMV2 to AltaRica translation~\cite{brunel2017performing}, or the pioneer work from
an AADL subset (System-Level Integrated Modelling (SLIM) language) to NuSMV, aimed at achieving formal analysis via model-checking in the framework of the COMPASS project~\cite{bozzano2010safety}.
\subsection{Tina model-checker}\label{sec:tina}
Tina (TIme Petri Net Analyzer, \url{http://www.laas.fr/tina}) is a
software environment to edit and analyze Petri Nets and Time
Petri Nets~\cite{BRV04}.
Time Petri nets~\cite{merlin1976} are one of the most widely used model
for the specification and verification of real-time systems:
they extend Petri nets with temporal intervals associated with
transitions, specifying firing delay ranges for the transitions.
In addition to the usual editing and analysis facilities of
similar environments, Tina offers various abstract state space
constructions that preserve specific classes of properties of
the state spaces of nets, like absence of deadlocks, linear
time temporal properties, or bisimilarity. For untimed systems,
abstract state spaces helps to prevent combinatorial explosion.
For timed systems, abstractions are mandatory as their state
spaces are typically infinite, Tina implements various abstractions based on state classes.
We used Tina as mode-checker (via the tool \emph{selt}) for the toolchain described in these pages
for its capacities with Temporal Petri Nets, and its performances as model-checker.
In addition, several model-checkers are being developed specifically for Tina.
The first available, \emph{selt}, is a model-checker for an enriched version
of State/Event -- LTL checking ~\cite{chaki2004}, a linear time temporal logic
supporting both state and transition properties. For the properties found false, a timed counter example is
computed and can be replayed by the simulator \emph{play}, also present in Tina's software suite.
Then, Tina can present its results in a variety of formats,
understood by model checkers like MEC~\cite{mec5}, a $\mu$-calculus
formula checker, or behavior equivalence checkers like Bcg,
part of the CADP toolset~\cite{cadp}.