This paper describes a case study of the SysML/KAOS method for a road transportation system for t... more This paper describes a case study of the SysML/KAOS method for a road transportation system for the City of Montreal (VdM), the second-largest city in Canada. The transportation system was developed from unstructured requirements represented in textual and schematic documents. Therefore, the VdM wanted to investigate new ways of organising and analysing the requirements of traffic projects, in order to increase the level of confidence in their safety, usability and reusability. This paper describes the formal specification, verification and validation of system requirements and provides an appraisal of the SysML/KAOS requirements engineering method on an industrial-scale case study. SysML/KAOS is designed within the ANR FORMOSE project to bridge the gap between stakeholder needs and the formal specification of system functionalities and domain constraints. The method has proven useful to deal with the seven refinement levels, twelve components (human, hardware, software and cyber-ph...
2016 IEEE International Conference on Web Services (ICWS), 2016
A configurable process model captures a family of similar processes. Such models can be configure... more A configurable process model captures a family of similar processes. Such models can be configured to obtain a process variant according to specific requirements. With this aim, several approaches have been proposed for the configuration of process models. Nevertheless, an increasing attention is being paid to achieve this in a sound manner due to the complex inter-dependencies between the configuration decisions. In this work, we aim to guide the process analyst to easily configure process models while preserving soundness. To do so, we propose a formal approach for ensuring correctness of business process configurations while considering structural constraints they have to obey. Specifically, using the Event-B language, we formally define a configurable process model, its correctness-preserving conditions and its configuration constraints.
In this paper, we use a combination of the SysML/KAOS requirements engineering method, an extensi... more In this paper, we use a combination of the SysML/KAOS requirements engineering method, an extension of SysML, with concepts of the KAOS goal model, and of the B System formal method. Translation rules from a SysML/KAOS goal model to a B System specification have been defined. They allow to obtain a skeleton of the B System specification. To complete it, we have defined a language to express the domain model associated to the goal model. The translation of this domain model gives the structural part of the B System specification. The contribution of this paper is the description of translation rules from SysML/KAOS domain models to B System specifications. We also present the formal verification of these rules and we describe an open source tool that implements the languages and the rules. Finally, we provide a review of the application of the SysML/KAOS method on case studies such as for the formal specification of the hybrid ERTMS/ETCS level 3 standard.
2017 IEEE 25th International Requirements Engineering Conference Workshops (REW), 2017
Modeling the domain of a system to be implemented is a very critical and often neglected activity... more Modeling the domain of a system to be implemented is a very critical and often neglected activity during requirements engineering. In this paper, we set the scene for an approach to complement the SysML/KAOS goal model of a system by adding an ontological representation of its domain knowledge. We think that an Event-B formalization of that domain representation can be used to enrich the formal specifications obtained from the goal model. This paper describes the metamodel that we propose for the representation of domain knowledge and illustrates the proposal through a Landing Gear System case study.
This paper introduces an Event-B formal model of the adaptive exterior light system for cars, a c... more This paper introduces an Event-B formal model of the adaptive exterior light system for cars, a case study proposed in the context of the ABZ2020 conference. The system describes the different provided lights and the conditions under which they are switched on/off in order to improve the visibility of the driver without dazzling the oncoming ones. The system can be viewed as a lights controller that reads different information form the available sensors (key state, exterior luminosity, etc.) and takes the adequate actions by acting on the actuators of the lights in order to ensure a good visibility for the driver according to the information read. Our model is built using stepwise refinement with the Event-B method. We consider all the features of the case study, all proof obligations have been discharged using the Rodin provers. Our model has been validated using ProB by applying the different provided scenarios. This validation has permitted us to point out and correct some mistak...
A business process fragment is a portion of a business process, more commonly designed for reuse ... more A business process fragment is a portion of a business process, more commonly designed for reuse purposes. Fragments are intended to be declared as safe from a privacy perspective, when manipulated in an open context. Privacy is related to the authority to have a view on some sensitive information. A business process privacy-preserving fragmentation is the task of decomposing business processes into significant fragments, which can be reused in the future in order to build new business processes while preserving the sensitive information from leakage. This paper presents a design-time two-phases approach to decomposing existing business processes into significant fragments while preserving the integrity of data items that navigate within the process. The first phase is based on the so-called Formal Concept Analysis (FCA) technique handling semantic activity clustering according to designers requirements, while dealing with the privacy constraints. The second phase manipulates cluste...
2018 23rd International Conference on Engineering of Complex Computer Systems (ICECCS), 2018
Algebraic State-Transition Diagrams (ASTDs) are extensions of common automata and statecharts tha... more Algebraic State-Transition Diagrams (ASTDs) are extensions of common automata and statecharts that can be combined with process algebra operators like sequence, choice, guard and quantified synchronization. They were previously introduced for the graphical representation, specification and proof of information systems. In an attempt to use ASTDs to specify cyber-attack detection, we have identified a number of missing features in ASTDs. This paper extends the ASTD notation with state variables (attributes), actions on transitions, and a new operator called flow which corresponds to AND states in statecharts and is a compromise between interleaving and synchronization in process algebras. We provide a formal structured operational semantics of these extensions and illustrate its implementation in an OCaml-based interpreter called iASTD and the model checker ProB. Extended ASTDs are illustrated in a case study in cyber attack detection.
Hybrid systems are one of the most common mathematical models for Cyber-Physical Systems (CPSs). ... more Hybrid systems are one of the most common mathematical models for Cyber-Physical Systems (CPSs). They combine discrete dynamics represented by state machines or finite automata with continuous behaviors represented by differential equations. The measurement of continuous behaviors is performed by sensors. When these sensors have a continuous access to these measurements, we call such model an Event-Triggered model. The properties of this model are easier to prove, while its implementation is difficult in practice. Therefore, it is preferable to introduce a more realistic model, called Time-Triggered model, where the sensors take periodic measurements. Contrary to Event-Triggered models, Time-Triggered models are much easier to implement, but much more difficult to verify. Based on the differential refinement logic (dR\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage...
A means of building safe critical systems consists of formally modeling the requirements formulat... more A means of building safe critical systems consists of formally modeling the requirements formulated by stakeholders and ensuring their consistency with respect to application domain properties. This paper proposes a metamodel for an ontology modeling formalism based on OWL and PLIB. This modeling formalism is part of a method for modeling the domain of systems whose requirements are captured through SysML/KAOS. The formal semantics of SysML/KAOS goals are represented using Event-B specifications. Goals provide the set of events, while domain models will provide the structure of the system state of the Event-B specification. Our proposal is illustrated through a case study dealing with a Cycab localization component specification. The case study deals with the specification of a localization software component that uses GPS,Wi-Fi and sensor technologies for the realtime localization of the Cycab vehicle, an autonomous ground transportation system designed to be robust and completely ...
This paper presents a specification of the hybrid ERTMS/ETCS level 3 implementation in the framew... more This paper presents a specification of the hybrid ERTMS/ETCS level 3 implementation in the framework of the case study proposed for the 6th edition of the ABZ conference. The specification is based on the methodology and tools, raised from the ANR FORMOSE project, for the modeling and formal validation of critical and complex system requirements. The requirements are captured as SysML/KAOS goal diagrams and are automatically translated into B System specifications, in order to obtain the backbone of the formal specification. Domain properties are captured as ontologies through the SysML/ KAOS domain modeling language, based on OWL and PLIB. From these ontologies is automatically extracted the structural part of the system formal specification that completes the result of the translation of goal diagrams. The system construction is thus incremental, based on refinement mechanisms existing within the involved methods and leads to a formally correct system, while eliminating any unnece...
This paper is related to the generalised/generic version of the SysML/KAOS domain metamodel and o... more This paper is related to the generalised/generic version of the SysML/KAOS domain metamodel and on translation and back propagation rules between the new domain models and B System specifications.
Nowadays, the usefulness of a formal language for ensuring the consistency of requirements is wel... more Nowadays, the usefulness of a formal language for ensuring the consistency of requirements is well established. The work presented here is part of the definition of a formally-grounded, model-based requirements engineering method for critical and complex systems. Requirements are captured through the SysML/KAOS method and the targeted formal specification is written using the Event-B method. Firstly, an Event-B skeleton is produced from the goal hierarchy provided by the SysML/KAOS goal model. This skeleton is then completed in a second step by the Event-B specification obtained from system application domain properties that gives rise to the system structure. Considering that the domain is represented using ontologies through the SysML/KAOS Domain Model method, is it possible to automatically produce the structural part of system Event-B models ? This paper proposes a set of generic rules that translate SysML/KAOS domain ontologies into an Event-B specification. The rules have been...
The use of formal methods for verification and validation of critical and complex systems is impo... more The use of formal methods for verification and validation of critical and complex systems is important, but can be extremely tedious without modularisation mechanisms. SysML/KAOS is a requirements engineering method. It includes a goal modeling language to model requirements from stakeholder’s needs. It also contains a domain modeling language for the representation of system application domain using ontologies. Translation rules have been defined to automatically map SysML/KAOS models into B System specifications. Moreover, since the systems we are interested in naturally break down into subsystems (enabling the distribution of work between several agents: hardware, software and human), SysML/KAOS goal models allow the capture of assignments of requirements to agents responsible of their achievement. Each agent is associated with a subsystem. The contribution of this paper is an approach to ensure that a requirement assigned to a subsystem is well achieved by the subsystem. A particular emphasis is placed on ensuring that system invariants persist in subsystems specifications.
This paper describes a case study of the SysML/KAOS method for a road transportation system for t... more This paper describes a case study of the SysML/KAOS method for a road transportation system for the City of Montreal (VdM), the second-largest city in Canada. The transportation system was developed from unstructured requirements represented in textual and schematic documents. Therefore, the VdM wanted to investigate new ways of organising and analysing the requirements of traffic projects, in order to increase the level of confidence in their safety, usability and reusability. This paper describes the formal specification, verification and validation of system requirements and provides an appraisal of the SysML/KAOS requirements engineering method on an industrial-scale case study. SysML/KAOS is designed within the ANR FORMOSE project to bridge the gap between stakeholder needs and the formal specification of system functionalities and domain constraints. The method has proven useful to deal with the seven refinement levels, twelve components (human, hardware, software and cyber-ph...
2016 IEEE International Conference on Web Services (ICWS), 2016
A configurable process model captures a family of similar processes. Such models can be configure... more A configurable process model captures a family of similar processes. Such models can be configured to obtain a process variant according to specific requirements. With this aim, several approaches have been proposed for the configuration of process models. Nevertheless, an increasing attention is being paid to achieve this in a sound manner due to the complex inter-dependencies between the configuration decisions. In this work, we aim to guide the process analyst to easily configure process models while preserving soundness. To do so, we propose a formal approach for ensuring correctness of business process configurations while considering structural constraints they have to obey. Specifically, using the Event-B language, we formally define a configurable process model, its correctness-preserving conditions and its configuration constraints.
In this paper, we use a combination of the SysML/KAOS requirements engineering method, an extensi... more In this paper, we use a combination of the SysML/KAOS requirements engineering method, an extension of SysML, with concepts of the KAOS goal model, and of the B System formal method. Translation rules from a SysML/KAOS goal model to a B System specification have been defined. They allow to obtain a skeleton of the B System specification. To complete it, we have defined a language to express the domain model associated to the goal model. The translation of this domain model gives the structural part of the B System specification. The contribution of this paper is the description of translation rules from SysML/KAOS domain models to B System specifications. We also present the formal verification of these rules and we describe an open source tool that implements the languages and the rules. Finally, we provide a review of the application of the SysML/KAOS method on case studies such as for the formal specification of the hybrid ERTMS/ETCS level 3 standard.
2017 IEEE 25th International Requirements Engineering Conference Workshops (REW), 2017
Modeling the domain of a system to be implemented is a very critical and often neglected activity... more Modeling the domain of a system to be implemented is a very critical and often neglected activity during requirements engineering. In this paper, we set the scene for an approach to complement the SysML/KAOS goal model of a system by adding an ontological representation of its domain knowledge. We think that an Event-B formalization of that domain representation can be used to enrich the formal specifications obtained from the goal model. This paper describes the metamodel that we propose for the representation of domain knowledge and illustrates the proposal through a Landing Gear System case study.
This paper introduces an Event-B formal model of the adaptive exterior light system for cars, a c... more This paper introduces an Event-B formal model of the adaptive exterior light system for cars, a case study proposed in the context of the ABZ2020 conference. The system describes the different provided lights and the conditions under which they are switched on/off in order to improve the visibility of the driver without dazzling the oncoming ones. The system can be viewed as a lights controller that reads different information form the available sensors (key state, exterior luminosity, etc.) and takes the adequate actions by acting on the actuators of the lights in order to ensure a good visibility for the driver according to the information read. Our model is built using stepwise refinement with the Event-B method. We consider all the features of the case study, all proof obligations have been discharged using the Rodin provers. Our model has been validated using ProB by applying the different provided scenarios. This validation has permitted us to point out and correct some mistak...
A business process fragment is a portion of a business process, more commonly designed for reuse ... more A business process fragment is a portion of a business process, more commonly designed for reuse purposes. Fragments are intended to be declared as safe from a privacy perspective, when manipulated in an open context. Privacy is related to the authority to have a view on some sensitive information. A business process privacy-preserving fragmentation is the task of decomposing business processes into significant fragments, which can be reused in the future in order to build new business processes while preserving the sensitive information from leakage. This paper presents a design-time two-phases approach to decomposing existing business processes into significant fragments while preserving the integrity of data items that navigate within the process. The first phase is based on the so-called Formal Concept Analysis (FCA) technique handling semantic activity clustering according to designers requirements, while dealing with the privacy constraints. The second phase manipulates cluste...
2018 23rd International Conference on Engineering of Complex Computer Systems (ICECCS), 2018
Algebraic State-Transition Diagrams (ASTDs) are extensions of common automata and statecharts tha... more Algebraic State-Transition Diagrams (ASTDs) are extensions of common automata and statecharts that can be combined with process algebra operators like sequence, choice, guard and quantified synchronization. They were previously introduced for the graphical representation, specification and proof of information systems. In an attempt to use ASTDs to specify cyber-attack detection, we have identified a number of missing features in ASTDs. This paper extends the ASTD notation with state variables (attributes), actions on transitions, and a new operator called flow which corresponds to AND states in statecharts and is a compromise between interleaving and synchronization in process algebras. We provide a formal structured operational semantics of these extensions and illustrate its implementation in an OCaml-based interpreter called iASTD and the model checker ProB. Extended ASTDs are illustrated in a case study in cyber attack detection.
Hybrid systems are one of the most common mathematical models for Cyber-Physical Systems (CPSs). ... more Hybrid systems are one of the most common mathematical models for Cyber-Physical Systems (CPSs). They combine discrete dynamics represented by state machines or finite automata with continuous behaviors represented by differential equations. The measurement of continuous behaviors is performed by sensors. When these sensors have a continuous access to these measurements, we call such model an Event-Triggered model. The properties of this model are easier to prove, while its implementation is difficult in practice. Therefore, it is preferable to introduce a more realistic model, called Time-Triggered model, where the sensors take periodic measurements. Contrary to Event-Triggered models, Time-Triggered models are much easier to implement, but much more difficult to verify. Based on the differential refinement logic (dR\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage...
A means of building safe critical systems consists of formally modeling the requirements formulat... more A means of building safe critical systems consists of formally modeling the requirements formulated by stakeholders and ensuring their consistency with respect to application domain properties. This paper proposes a metamodel for an ontology modeling formalism based on OWL and PLIB. This modeling formalism is part of a method for modeling the domain of systems whose requirements are captured through SysML/KAOS. The formal semantics of SysML/KAOS goals are represented using Event-B specifications. Goals provide the set of events, while domain models will provide the structure of the system state of the Event-B specification. Our proposal is illustrated through a case study dealing with a Cycab localization component specification. The case study deals with the specification of a localization software component that uses GPS,Wi-Fi and sensor technologies for the realtime localization of the Cycab vehicle, an autonomous ground transportation system designed to be robust and completely ...
This paper presents a specification of the hybrid ERTMS/ETCS level 3 implementation in the framew... more This paper presents a specification of the hybrid ERTMS/ETCS level 3 implementation in the framework of the case study proposed for the 6th edition of the ABZ conference. The specification is based on the methodology and tools, raised from the ANR FORMOSE project, for the modeling and formal validation of critical and complex system requirements. The requirements are captured as SysML/KAOS goal diagrams and are automatically translated into B System specifications, in order to obtain the backbone of the formal specification. Domain properties are captured as ontologies through the SysML/ KAOS domain modeling language, based on OWL and PLIB. From these ontologies is automatically extracted the structural part of the system formal specification that completes the result of the translation of goal diagrams. The system construction is thus incremental, based on refinement mechanisms existing within the involved methods and leads to a formally correct system, while eliminating any unnece...
This paper is related to the generalised/generic version of the SysML/KAOS domain metamodel and o... more This paper is related to the generalised/generic version of the SysML/KAOS domain metamodel and on translation and back propagation rules between the new domain models and B System specifications.
Nowadays, the usefulness of a formal language for ensuring the consistency of requirements is wel... more Nowadays, the usefulness of a formal language for ensuring the consistency of requirements is well established. The work presented here is part of the definition of a formally-grounded, model-based requirements engineering method for critical and complex systems. Requirements are captured through the SysML/KAOS method and the targeted formal specification is written using the Event-B method. Firstly, an Event-B skeleton is produced from the goal hierarchy provided by the SysML/KAOS goal model. This skeleton is then completed in a second step by the Event-B specification obtained from system application domain properties that gives rise to the system structure. Considering that the domain is represented using ontologies through the SysML/KAOS Domain Model method, is it possible to automatically produce the structural part of system Event-B models ? This paper proposes a set of generic rules that translate SysML/KAOS domain ontologies into an Event-B specification. The rules have been...
The use of formal methods for verification and validation of critical and complex systems is impo... more The use of formal methods for verification and validation of critical and complex systems is important, but can be extremely tedious without modularisation mechanisms. SysML/KAOS is a requirements engineering method. It includes a goal modeling language to model requirements from stakeholder’s needs. It also contains a domain modeling language for the representation of system application domain using ontologies. Translation rules have been defined to automatically map SysML/KAOS models into B System specifications. Moreover, since the systems we are interested in naturally break down into subsystems (enabling the distribution of work between several agents: hardware, software and human), SysML/KAOS goal models allow the capture of assignments of requirements to agents responsible of their achievement. Each agent is associated with a subsystem. The contribution of this paper is an approach to ensure that a requirement assigned to a subsystem is well achieved by the subsystem. A particular emphasis is placed on ensuring that system invariants persist in subsystems specifications.
Uploads
Papers by Amel Mammar