Towards Formalizing Time-constrained System Models in Tcoz

This study is concerned with using Unified Modeling Language (UML) model and the UML profile for Modeling and Analysis of Real-Time and Embedded (MARTE) systems to depict a Time-Constrained System (TCS). To perform system formal analysis, TCS models are transformed to Timed Communicating Object Z (TCOZ) specifications. The mapping rules for the modeling elements especially time-related issues are given at meta-model level. Static model, dynamic model and MARTE stereotypes in TCS models can be transformed to TCOZ models respectively. These models are composed together to complete specifications according to some rules. Hence the dependability of the TCS can be checked through the reasoning mechanism in TCOZ. A case study shows the applicability and feasibility of our approach.


INTRODUCTION
Time-Constrained System (TCS) is a special real time and embedded system which has strict demand in timeliness and it is generally used in the military, medical and communicational industry.It will lead to a great disaster once the timeliness is dissatisfied.Enhancing the dependability of TCS has becoming a hotspot in the scope of software development.
Unified Modeling Language (UML) is OMG (2009) most-used specification, which is widely used in object-oriented modeling.But UML lacks the ability to describe quantitative nonfunctional properties, such as real-time, dependability and resource.These properties are important in trustworthy real time and embedded systems.Therefore OMG (2011) proposed UML profile for Modeling and Analysis of Real Time and Embedded (MARTE) systems.
UML/MARTE depicts a system in graphics and lacks for secure semantic information.To verify and analyze system models, contributors have done much to transform UML diagrams to formal specification.Mostafa et al. (2007) formalized UML meta models using Z specification, but he didn't give the reuse mechanism to support automatic model transformation.Zhang and Jouault (2009) defined the mapping rules between MARTE and FIACRE and performed the heterogeneous model transformation under the AMMA platform.This method separates syntax and semantics transformation, but it needs to construct complete meta model for the formal language.Sergiu-Mihai (2001) gave the detailed transformation rules between TCS model and Z++ and he took the time constraint into account, but most of the real time and embedded systems issues such as concurrency, delay et al. were not covered.Mekki and Ghazel (2010) developed an algorithm for transforming UML to timed automata to verify the TCS model and he just handled some time annotations used for expressing state invariant and transition guards.Wei and Wang (2011), Mirco and Gilmore (2008), Ermeson et al. (2008) and Nianhua (2010) proposed their model transformation approaches with restricted applicability.
In this study, we use Timed Communicating Object Z (TCOZ) proposed by Brendan and Dong (2000) as an analysis tool.Our aim is to introduce a TCS model verification approach which is easy to perform, convenient for reuse and non functional property centered.

TCOZ OVERVIEW
TCOZ is a combination of two formal languages, i.e., Object-Z proposed by Smith (2000) and Timed CSP proposed by Reed and Roscoe (1986).Object-Z is fit for modeling data and algorithm with a semantics of singlethread.Timed CSP is an extension of Hoare's Communicating Sequential Processes (CSP) algebra notation and fit for modeling real-time and concurrent behavior.TCOZ perfectly combines the merit of the two languages.
TCOZ adopts the basic structure of Object-Z with an extending concept of channel in the declaration of  1.The detailed semantics can be seen in Smith (2000).
TCOZ regards the operation scheme as the terminable CSP process which changes the state and regards the class as the non terminating CSP process.
The process STOP is the deadlocked process which does nothing; SKIP, on the other hand, is a special process that does nothing but terminates successfully; WAIT t represents the process terminates after time t during which it does nothing; a→P represents the execution sequence of event a and process P; The sequential composition P; Q is a process which first behaves as P but continues by behaving as Q immediately after P terminates successfully; The external choice operator PQ allows a choice of behavior according to what events are requested by its environment.P|||Q represents the asynchronous parallel of P and Q.? and !represent the input and output communication between the process.a@t records the time at which the event occurs and allows the subsequent behavior.An important concept in CSP is the notion of channel.A channel is a collection of events of the form c.n; prefix c is the channel name and collection of subfixes the allowed values of the channel.µP• [expression]→P represents the recursion process.Active objects have their own thread of control and have the MAIN identifier in the Timed CSP part.Passive objects are controlled by other objects and without an MAIN process.

MAPPING RULES
This section describes how to transform UML model annotated with MARTE to TCOZ.

Static mapping:
Static view shows the characteristics of the objects and relationships between them.2. State is a condition during the life of an object or an interaction during which it satisfies some condition.The condition may performs some action or wait for some events to occur.For general state, it is declared in the state scheme and can be transformed into the pre-condition or post-condition in the operation scheme corresponding to transition.Composite state includes sub states which are parallel or sequential and it can be divided into simple state.Initial state in composite state can be ignored semantically.Pseudostate has the form of state but different actions with the usual state vertex.We just take the initial state into account.Semantically initial state is translated to the initial state scheme.Action can be entry/exit/do action for a state and it can be transformed to operation scheme according to its semantic information.
Transition represents the change of an object from sourceState to effectState and specifies the reaction trace of an object to event.The transition is triggered by an event.Then it may perform specific actions provided that transition guard is satisfied.The general format of a transition is shown as follows:

Event-name [guard-condition] /action expression:
Event is the specification of a kind of change of state that may happen in the modeled system and it is divided into signal event, call event, change event and timed event.Semantically all of them can be seen as the satisfaction of some condition.We define a state attribute for each trigger in the TCOZ state scheme.We map them as precondition in the operation scheme corresponding to the transition, Except for timed event.MARTE extends the UML timed event meta class.It will be elaborated below.
Guard is a Boolean expression that transition will go if it is true.So it can be translated to the precondition in the predicate part.Action performed by the transition can be transformed into the operation scheme.The timed sequence of the actions can be presented by using the operator (;).In the concept of UML, the execution time of an action can be ignored compared with the external environmental event.
Transition can be defined as follows in TCOZ:

Transition≙[guardΛtrigger_condition]•actionSequ ence
In which actionSequence is the time sequence of the operation scheme corresponding to actions.
A complex transition comes from or goes to a series of parallel sub states.Join represents one source Join is equivalent to a simple transition where sourceState2 is regarded as an extra guard condition of the transition as shown in Fig. 3.
Fork is equivalent to two independent simple transitions as shown in Fig. 4.
Synchronization is equivalent to two independent simple transitions out of which sourceState2 is regarded as the guard of another transition as shown in Fig. 5.

MARTE stereotype mapping:
We are concerned about the time and resource non-functional property.ResourceUsage represents the run-time mechanism that effectively requires the usage of the resource.Its structure in MARTE is given in Fig. 6.UsageTypeAmount uses the Tagged value "execTime" to record the elapsed time and "energy" to record the use amount of the energy.
ResourceUsage has the state change of time and energy.It can be transformed into operation scheme semantically in which the type Z is transformed from MARTE type according to the rules defined above.Scheme of ResourceUsage is given in Fig. 7.In TCOZ there is the type T defined: In MARTE a clock is considered as a means to access to time, TimedElement in a model which refers to a clock can be approximately redefined using the type T in TCOZ.In TCOZ all timing information is represented as real valued measurements in seconds.
TimedInstantObservation denotes an instant in time when the observed object arrive at a state, A TimedDurationObservation denotes some interval of time between one state and another: TimedInstantObservation≙ A TimedConstraint is a constraint imposed on the occurrence of an event (TimedInstantConstraint), or on the duration of some execution, or even on the temporal distance between two events (TimedDuration Constraint).The constraints are specified by predicates (InstantPredicate and DurationPredicate) and both of them refer to the TimedObservation.TimedConstraint can be seen as the precondition for the transition: The number of occurrences can be limited by the repetition property.When is Relative is true, the event occurs after entering a state with a duration of when else event occurs at an absolute time when.NameTrue and Name False are the schemes corresponding to the event when is Relative is true and false respectively, which schemes are given in Fig. 10.TCOZ introduces a distinguished identifier δ to represent the duration of the state calculations performed by the operation.
The TimedEvent is transformed into the event_Name defined below.actionSequence is the actions triggered by the event: The TimedProcessing stereotype is a generic concept for modeling activities whose instants and durations are explicitly bound to clocks.When it is applied to a state machine, all the TimedElement inside are transformed according to the rules defined above.A delay represents a null operation lasting for a given duration, a delay of t after process P is expressed below.The processor and two sensors are stereotyped by RtUnit, which represents an autonomous execution resource.The isMain property is true represents that the processor has the same life cycle with the system.The main property shows the main entry of the system.The operations are stereotyped by RtService which depicts the concurrent policy, synchronization kind etc.
In this study, we are just concerned about the state machine corresponding to the processor.The state machine refers to an ideal clock through stereotype TimedProcessing.The trigger start is stereotyped by TimedEvent which has a period of 100 sec.TimedInstantObservation associates to the occurence of timed event start, change event getTarget and getSelf to record the occurring time.The change event getResult triggers the transition when the compute process is over.The state computing is stereotyped by ResourceUsage to depict the time elapsed in the inner transition.The stereotype TimedConstraint depicts the constraint of the TimedObservation.
Model transformation: Through parsing the XMI files created by papyrus and applying the mapping rules in the above section, the LaTeX format TCOZ specification can be got.Here we give the brief specification in Box format in Fig. 13 for reading.
The detailed transformation process is omitted for space limitation of this study.
Although we have proposed the approach to transform TCS model to TCOZ specification, there are still some limitations need to be pointed out.Firstly our work just covers a small part of MARTE.Secondly TCOZ is currently lacking in complete tool chains which limits the industrial application of this approach.

CONCLUSION
Combining of real time software modeling and formal method can enhance the dependability of system.In this study, we use UML model annotated with MARTE to represent a TCS.We provided the mapping rules between TCS model and TCOZ at the meta-model level.The main contributions of this study can be summarized as follows: • Mapping rules for UML static model especially some real-time related MARTE types to approximately express them in TCOZ.

Fig. 1 :
Fig. 1: Class definition in Object-Z class and operation.The mainly construction of the Object-Z is the class definition shown in Fig.1.The detailed semantics can be seen inSmith (2000).TCOZ regards the operation scheme as the terminable CSP process which changes the state and regards the class as the non terminating CSP process.The process STOP is the deadlocked process which does nothing; SKIP, on the other hand, is a special process that does nothing but terminates successfully; WAIT t represents the process terminates after time t during which it does nothing; a→P represents the execution sequence of event a and process P; The sequential composition P; Q is a process which first behaves as P but continues by behaving as Q immediately after P terminates successfully; The external choice operator PQ allows a choice of behavior according to what events are requested by its environment.P|||Q represents the asynchronous parallel of P and Q.? and !represent the input and output communication between the process.a@t records the time at which the event occurs and allows the

Fig. 11 :
Fig. 11: Static structure of the system

•
Transformation from statechart diagram to TCOZ by defining the mapping rules at meta model level.• Redefinition of MARTE stereotypes in TCOZ especially time and energy non functional property issues by defining scheme of Timer and DurationTimer.