

2 Methodology

## Simulation

Simulation: Transactions of the Society for Modeling and Simulation International I–24

© The Author(s) 2020 DOI: 10.1177/0037549720958056 journals.sagepub.com/home/sim





# A DEVS-based pivotal modeling formalism and its verification and validation framework

Kehinde G. Samuel , Nourou-Dine M. Bouare, Oumar Maïga and Mamadou K. Traoré

#### **Abstract**

System verification is an ever-lasting system engineering challenge. The increasing complexity in system simulation requires some level of expertise in handling the idioms of logic and discrete mathematics to correctly drive a full verification process. It is recognized that visual modeling can help to fill the knowledge gap between system experts and analysis experts. However, such an approach has been used on the one hand to specify the behavior of complex systems, and on the other hand to specify complex requirement properties, but not simultaneously. This paper proposes a framework that is unique in supporting a full system verification process based on the graphical modeling of both the system of interest and the requirements to be checked. Patterns are defined to transform the resulting models to formal specifications that a model checker can manipulate. A real-time crossing system is used to illustrate the proposed framework.

#### **Keywords**

High Level Language for Systems Specification (HiLLS), Discrete Event System Specification (DEVS), formal verification, temporal logic, model transformation, UPPAAL

#### I. Introduction

The continuous growth of systems of various kinds through human activities and the increasing complexities of the activities themselves lead to the continuous development of formal techniques to ensure safe and secure systems. The evolution of a system's functional requirements is often inevitably accompanied by a corresponding evolution of its complexities in structure and behavior; hence more efforts are required to monitor this evolution process to ensure that the resulting system is reliable and safe. This may involve a combination of scientific techniques such as simulation, prototyping, and formal analysis to carefully investigate the model before the implementation of the emerging system. Significant efforts and advances have been made toward making these techniques accessible individually. However, not much success has been recorded in unifying the various formalisms, thus, different models of different aspects of a system have to be treated. This is characterized by communication gaps between the different experts and consequently reduced efficiency of the entire process.

Simulation models are usually represented by different domain-specific modeling languages (DSML), most of which have no precise semantic definition. The semantics of simulation models are left to model simulators and translators; these are defined by general-purpose programming languages, which is unacceptable for formal analysis. Although the syntax of some recent DSML is formally described with metamodel, generally, the lack of formal model transformations contributes to the challenges of formal analysis at the model level. It is, therefore, a challenge to describe simulation models and its requirement specification formally to improve formal verification and analysis of models.

The High-Level Language for System Specification (HiLLS) has been proposed to fill such a gap.<sup>2</sup> HiLLS is a scalable visual modeling language that serves as a one-stop reference point through a harmonious combination of

<sup>1</sup>African University of Science & Technology, Abuja, Nigeria

#### Corresponding author:

Kehinde G. Samuel, African University of Science and Technology (AUST), Km 10, Airport Road, Galadimawa, Abuja, + 234, Nigeria. Email: keliake@aust.edu.ng

<sup>&</sup>lt;sup>2</sup>Université des Sciences des Techniques et des Technologies, Bamako, Mali

<sup>&</sup>lt;sup>3</sup>University of Bordeaux, IMS CNRS UMR 5218, Talence, France

modeling paradigms from system theory and software engineering to integrate the different aspects of a system in one coherent whole. As such, it is a pivotal visual language that allows model simulation, enactment, and formal analysis. To ensure these combined features, concepts have been borrowed from three formalisms that are universal, each in one of these three analysis domains, and seamlessly integrated through formalism weaving techniques, namely Discrete Event System Specification (DEVS), Unified Modeling Language (UML), and first-order logic. DEVS, which is recognized as a universal simulation modeling formalism,<sup>3</sup> provides the semantic domain for HiLLS-specified models simulation. Similarly, a UMLspecified pattern provides the architecture for HiLLS-specified models enactment, while first-order logic is used as the semantic domain for formal verification of HiLLSspecified models.<sup>5</sup>

However, while the objectives of having a highly communicable graphical concrete syntax and multiple semantic domain mappings for simulation, enactment, and accessibility to formal analysis have been achieved. there is a major concern in making such an approach effectively and easily usable. As illustrated by Figure 1, such a concern stands for each of the analysis methods (i.e., simulation, enactment, and model checking) in that a complete framework is needed to allow users to drive a whole process from visual modeling of a system to its analysis. Indeed, while a DEVS model can be automatically derived from a HiLLS specification, the full simulation process of such a model entails the specification of additional aspects (such as the experimental frame, simulation initialization, parameter tuning, etc.). Similarly, the full enactment process of the HiLLS-derived model entails the definition of additional aspects (such as realtime concerns, human-in-the-loop interface, etc.). And so does the full formal verification process of the HiLLSderived model. The latter is the focus of this paper, and we aim at achieving a supporting framework for such a process.

The paper is organized as follows. Section 2 discusses related works. Section 3 presents the HiLLS formalism and its editor. Section 4 introduces patterns that will serve as the building blocks for defining HiLLS semantics in a way that it is amenable to formal checking. Section 5 extends HiLLS to the specification of system requirements and provides semantics for such an extension. Section 6 shows how both the HiLLS-based system modeling and HiLLS-based requirements specification fall within a full formal verification framework. Section 7 illustrates the application of the framework with a well-known study case. Section 8 concludes the paper, by summarizing the work done and by giving perspectives for future work.

#### 2. Related works

Related works have addressed the formal analysis of DEVS models. These proposals range from formal model checking of sub-classes of DEVS, the transformation of DEVS into formal methods for verification purposes, generation of traces from DEVS models for testing, or introducing clock constraints to DEVS to conform to formal methods. We present some notable works in this area:

- Hong and Kim<sup>6</sup> proposed a method of verification of DEVS models in the DEVSim + + environment. The approach was to specify the model in DEVS and use temporal logic to specify the properties and time constraints of the system. The authors use a projection technique to reduce the state space. The lifetimes of the states are not taken into account, but the temporal logic allows expressing constraints on sequences of states. The technique used by the authors is very similar to the technique of model checking using Büchi automata.<sup>7</sup>
- Zeigler et al.<sup>8</sup> used a subclass of DEVS models having finite sets of states, inputs, and outputs, named FD-DEVS<sup>9</sup> to map the system representation onto a non-deterministic automaton that is subject to model checking using the SPIN/PROMELA model checker.
- Several related works align on the principle combining DEVS with Timed Automata, and the use of the UPPAAL model checker.<sup>10-13</sup>

Our work differs from all of the above in that we use a pivotal visual notation at both sides: one that has equivalent DEVS representation for system behavior and the other that has equivalent temporal logic representation for system requirements. Moreover, by building a full framework based on these visual notations, we provide a systematic verification approach, which most of the related works do not, as they require to add a suitable verification component for checking specific properties of interest.

#### 3. HiLLS-based system modeling

HiLLS can be seen as a visual language for DEVS (see in ANNEX A), with specific features for formal analysis and direct prototyping.<sup>2,4,14</sup> This is the point of view adopted here, although any of the two other formalisms and their underlying paradigms could be used as the entry point.

#### 3.1. HiLLS syntax

A template of how HiLLS represents a DEVS model is shown in Figure 2. A HiLLS-specified system is



Figure 1. From pivotal visual modeling to multiple analyses of complex systems.



Figure 2. Template for HiLLS representation of a DEVS model.

represented by an HSystem, which is denoted by a box similar to the UML class with an additional horizontal compartment and two vertical compartments. The left (respectively right) hand side vertical compartment has input (respectively output) ports attached to it. The concept of a port is defined as in DEVS. All declarations in HiLLS (whether ports or any other variables or functions) are done in first-order logic. The top horizontal compartment contains the name of the model and the declaration of its parameters. The immediate compartment below contains the declaration of state variables. The third compartment from the top contains the definitions of operations that use and manipulate all variables, including parameters and ports. Therefore, while a message received on some given input port causes a change of the internal state of the model, a call to some given modifier operation causes a change of the value of some given parameter. The bottom compartment contains the system's behavior described by the configuration transition diagram (i.e., the HiLLS automaton), an automaton in which nodes are configurations and which edges are configuration-toconfiguration transitions that can occur in the system. A configuration is defined by the assignment of specific values or constraints to state variables.

One can notice that the assignment of a specific value to each of the state variables gives a state in the sense of



**Figure 3.** HiLLS concrete syntax. (a) Finite configuration; (b) Passive configuration; (c) Transient configuration; (d) Internal transition; (e) External transition; (f) Confluent transition; (g) Initial configuration reference; (h) Decision node; (i) HSystem; (j) HClass.

DEVS (i.e., a particular configuration), while the assignment of constraints (rather than specific values) to some or all of the state variables gives a configuration that corresponds in DEVS to a family of states (instead of a single one). As such, a configuration depicts a set of properties that several states share. Configurations are a way to cluster a DEVS state set (whether finite or not) into a finite partition.<sup>5</sup> Figure 3 shows how the syntactic elements are visually captured by graphical elements.

A configuration has three visual representations: finite, passive, and transient configurations. A finite configuration (Figure 3(a)) is a 4-compartments box, which respectively contains the label of the configuration, the logic specification of its properties (such as the assignment of values and constraints to state variables), its sojourn time (which corresponds in DEVS to the value of the time advance function at states falling within this configuration), and the description of activities to be carried out when the system is in this configuration (which has no equivalence in DEVS but serves for the purpose of

enactment). An infinite configuration (Figure 3(b)) is a configuration in which sojourn time is  $+\infty$ ; therefore, its visual representation is reduced to a 3-compartments box, the compartment related to sojourn time being replaced by a double line at the right-hand edge of the box. A transient configuration (Figure 3(c)) is the one in which sojourn time is 0; therefore, its visual representation is reduced to a 3-compartments circle. A black circle (Figure 3(g)) allows to make reference to the initial configuration of the model.

The three kinds of configuration transitions are denoted by different labeled arrows with the operations accompanying the transitions (for the update of state variables, when needed) as part of the labels. For internal transition (Figure 3(d)), the value sent on the output port is also part of the label. For external transition (Figure 3(e)), the label includes the triggering condition on the receipt of a value on a port and the time elapsed by the model in its current configuration. The label for confluent transition (Figure 3(f)) is similar, except that there is no condition on the elapsed time (as it is known to be the sojourn time in this



Figure 4. HiLLS Graphical Editor.

case). Decision nodes (Figure 3(h)) can be used to define various possible routes during a transition, depending on conditions to be met by state variables.

An HClass (Figure 3(j)) denotes a software component that does not represent the model of a dynamic system, as opposed to an HSystem (Figure 3(i)). As such, it is a simple resource manipulated by model components and corresponds to a "regular" class in UML with attributes and methods specified by logical predicates. Both HSystem and HClass can be parameterized. The HSystem and HClass components can be linked by relationships such as aggregation, composition, generalization, and reference, with cardinalities attached to, as described by the UML metamodel (indeed HClass and HSystem are specializations of the UML Classifier mother class).

Consequently, an HSystem can be composed of other HSystems, and such a description corresponds to a DEVS coupled model. Interestingly, DEVS atomic and coupled models are visually described in HiLLS the same way.

Moreover, while a traditional coupled model will have in HiLLS a single configuration specifying the coupling information between its sub-components, a dynamic structure coupled model will have a configuration transition diagram with more configurations, each of them specifying a given architecture of the coupled model, and the transitions specifying the rules for the dynamic change of structure.

#### 3.2. HiLLS editor

An editor has been developed for HiLLS modeling, using the Graphical Modeling Framework (GMF) of the Eclipse IDE. As HiLLS model specification requires both graphical and textual representations, Xtext was used to capture the textual aspects of the model (such as labels, properties, and activities) and EuGENia, a plugin that overlays GMF, was used to process the geometric shapes that compose the model. The HiLLS Editor allows the drag-and-drop modeling of complex systems, as shown in Figure 4. The editor displays a workspace, with a central area where the model is drawn. To the left of the workspace is the Model view, where appears the hierarchy tree of the model, which provides easy navigation throughout the model components. On the right side of the workspace are three panels for modeling. The upper palette contains all the basic elements of the HiLLS concrete syntax (Configuration, Declaration, Activity, HSystem, etc.). The middle panel displays all connectors (Transition, Aggregation, Reference, and Composition). The bottom panel displays the temporal logic items for requirement specification.

#### 3.3. HiLLS-DEVS relation

Details of the correspondence between a DEVS model and a HiLLS automaton are given in Samuel et al.<sup>5</sup> The idea of HiLLS automaton is that a DEVS model (whether with finite or infinite state set) can be represented graphically with a finite HiLLS automaton for the purpose of formal analysis, without any loss of behavioral property, while still being adequate for simulation and enactment. Multiple states of an atomic DEVS model are mapped onto a single configuration in the corresponding HiLLS automaton. A Coupled DEVS model is mapped onto a composed HiLLS

automaton, which uses its configuration(s) to specify the coupling information between the sub-components of the corresponding DEVS model. The focus of this paper not being the HiLLS-DEVS relation, we avoid here the provision of unnecessary details and refer interested readers to Samuel et al.<sup>5</sup> for more on that aspect. We rather focus on providing a full formal verification framework to HiLLS. However, Figure 5 shows a DEVS model (a patient) and its HiLLS counterpart.

```
DEVS<sub>Patient</sub> = \langle X, Y, S, \delta_{int}, \delta_{ext}, \lambda, ta \rangle, with
X = \{(in, x) / x \in Viruses\}
Y = \{(out, x) \mid x \in Viruses\} \cup \{(status, y) \mid y \in \{S, E, I, D\}\}
S = \{1, 2, 3, 4, 5\} \times \Re_0^+
ta: S \rightarrow \Re_0^{-1}
     ta(s, \sigma) = \sigma \quad \forall \ s \in \{1, 2, 3, 4, 5\}
\delta_{\mathsf{int}} : \mathsf{S} \stackrel{\cdot}{\to} \mathsf{S}
     \delta_{\text{int}}(2, \sigma) = (3, t_{\text{INC}}) \quad \forall \sigma \in \Re_0^{+ \infty}
     Prob(\delta_{int}(4,\sigma)=(5,+\infty))=\sigma_{FAT} and
     Prob(\delta_{int}(4,\sigma)=(1,+\infty))=1-\sigma_{FAT}, \forall \sigma \in [0,t_{INF}]
          Prob(\delta_{int}(3,\sigma)=(3,t_{INC}))=\sigma_{INF} and
     Prob(\delta_{int}(3,\sigma)=(1,+\infty))=1-\sigma_{INF} \ \forall \sigma \in [0,t_{INC}]
     \lambda(2, \sigma) = (\text{status}, E), \forall \sigma \in \Re_0^{+\infty}
     Prob(\lambda(3,\sigma)=\{(\text{status,I}), (\text{out,vir})\})=\sigma_{\text{INF}} and
     Prob(\lambda(3,\sigma)=(status,S))=1-\sigma_{INF} \ \forall \sigma \in [0,t_{INC}]
     Prob(\lambda(4,\sigma)=(status,D)) = \sigma_{FAT} and Prob(\lambda(4,\sigma)=(status,S)) =
     1-\sigma_{\mathsf{FAT}}, \forall \sigma \in [0, \mathsf{t}_{\mathsf{INF}}]
\delta_{\text{ext}}: \overset{\cdots}{Q} \times X \to \overset{\bullet}{S}, \text{ with } Q = \{((s,\sigma), \, e) \, / \, (s,\sigma) \, \in \, S, \, 0 \, \leq \, e < \, \sigma\}
                                                                        \forall \sigma \in \Re_0^{+\infty}
     \delta_{\text{ext}}((1, \sigma), \text{ e, (in, vir)}) = (2, 0)
                                                                                                     \forall e \in [0, \sigma)
     \delta_{\text{ext}}((3, \sigma), e, (in, vir)) = (3, \sigma - e) \quad \forall \sigma \in [0, t_{\text{INC}}] \quad \forall e \in [0, \sigma)
     \delta_{\text{ext}}((4, \sigma), e, (in, vir)) = (4, \sigma-e) \quad \forall \sigma \in [0, t_{|NF}] \quad \forall e \in [0, \sigma)
```

A larger illustration of the concepts introduced in this section is given through the application presented in Section 7. As the application is meant to demonstrate the entire methodology proposed in the paper, it is presented after all theoretical aspects of the methodology are introduced. However, at this stage, in order to get an illustration of HiLLS modeling on the application, the reader can get the application presentation in Section 7, and the expression of the corresponding system models in Section 7.1 (which refers to ANNEX D for complements). Going to Section 7's introduction and Section 7.1, and then coming back to Section 4 is a way to match Section 3 with the application and possibly improve the readability of this section, while keeping the general structure of the paper from theory and methodology to application.

#### 4. Hills-to-UPPAAL patterns

Timed automata are among the most widely used models for the verification of real-time systems. To semantically map HiLLS to one of the formal method tools available (namely UPPAAL), we define patterns that provide building blocks to building the HiLLS formal method-based semantics. The subsequent sub-sections present these patterns.

Similar to matching Section 3 with the application presented in Section 7, the reader can switch between subsections of Section 4 on one hand, and Section 7.1 and ANNEX E on the other hand, to better match the concepts introduced in Section 4 with the application.

#### 4.1. Semantic pattern for configuration

The pattern shown in Figure 6 expresses the formal semantics of a HiLLS model in a given configuration, using a Timed Automaton (TA) composed of four types of locations, namely  $C_{curse}$ ,  $C_{end}$ ,  $C_{interrupt}$ , and  $C_{dilemma}$ , and a unique clock.

In this pattern, the lifetime of a configuration C starts at  $C_{curse}$ , where the property of the configuration is (e < ta) AND (mail =  $\emptyset$ ), with mail representing the input bag of the system. To overcome the fact that model-checking tools often restrain on-time representation as limited to integer values only, we represent a real-time value, such as e (elapsed time) and ta (time advance), as a pair of integer values (t<sub>int</sub>, t<sub>dec</sub>), where t<sub>int</sub> is the integral part of the time value, and  $t_{dec}$  is its decimal part. That way, t = t' is translated into  $((t_{int}-t'_{int} = 0) \text{ AND } (t_{dec}-t'_{dec} = 0))$ , while t < t'translates to  $((t_{int}-t'_{int} < 0) \text{ OR } ((t_{int}-t'_{int} = 0) \text{ AND } (t_{dec}-t'_{int} = 0))$ t'dec < 0))), with AND (respectively OR) being the conjunction (respectively disjunction) logical operator. Pairs of integer values (t<sub>int</sub>, t<sub>dec</sub>) are implemented in UPPAAL as 2D arrays, where t[0] implements t<sub>int</sub>, and t[1] implements t<sub>dec</sub>. Such a representation of time is one of the possible forms of superdense time as introduced in Nutaro<sup>15</sup> and brought to discrete-event simulation in Jouault et al. 16 within a very formal framework.

When the system enters the C<sub>curse</sub> location, e is set to 0.0 (hence e[0] = 0, and e[1] = 0), and ta is determined by update(ta). C<sub>curse</sub> means that the system is in the curse of C, and no input has been received yet by the system, nor the lifetime of C has elapsed yet. The TA takes a transition from  $C_{curse}$  to  $C_{end}$  when (e = ta) AND (mail =  $\emptyset$ ), but if before that condition is met, a message ?x is received at elapsed time e, the TA transits to C<sub>interrupt</sub>(x). There are as many locations C<sub>interrupt</sub>(x) as the number of possible values of x that the system can receive in the C configuration. From each Cinterrupt(x), the TA will do as many external transitions as the number of possible values for e. From a theoretical point of view, there is a potential of combinatorial explosion for the number of locations of type C<sub>interrupt</sub>(x), as well as for the number of external transitions that can be taken from each location  $C_{interrupt}(x)$ . However, in practice, models have very limited number of different cases for an external transition. In any case, this aspect is intrinsically a limitation of our approach.



Figure 5. DEVS model example and its HiLLS counterpart.



Figure 6. Semantics pattern for HiLLS active configuration.

At the  $C_{end}$  location, an internal transition takes place and an output !y is sent, unless a message is received exactly at that moment, leading then to a transition to  $C_{dilemma}(X)$  where a confluent transition takes place and an output !y is sent. Internal, external, and confluent transitions taken from any location of the C configuration each lead to the location corresponding to the curse of another

configuration. Then the same pattern applies to that new configuration, and so on.

Figure 7 illustrates how the semantics of a HiLLS model is given by a TA, using the pattern. Figure 7(a) shows the HiLLS automaton, and Figure 7(b) shows how its semantics is built in TA (but only the translation for the C1 configuration is shown).



Figure 7. Illustration of (partial) semantics mapping from HiLLS to UPPAAL.

From  $C1_{curse}$  of Figure 7(b), two types of external transitions are possible based on the type of message received. If ?start is received then a transition to  $C1_{interruptStart}$  (for  $C1_{interrupt}(Start)$ ) will happen and if ?stop is received, then a transition to  $C1_{interruptStop}$  (for  $C1_{interrupt}(Stop)$ ) will happen. The external transition from each of the  $C1_{interrupt}(x)$  can go to different other configurations' curses, depending on the elapsed time, as stated by the HiLLS model.

#### 4.2. Pattern variants

From the general configuration pattern previously presented, we derive the variants presented by Figure 8.

These variants, together with the general pattern, form the building blocks for a complete translation of any HiLLS model into its UPPAAL TA counterpart:

- Figure 8(a) presents the *interruptless configuration* pattern, where only internal and confluent transitions are possible, as no input is received by the
   corresponding HiLLS model in the corresponding
   configuration (therefore no external transition
   happens).
- Figure 8(b) presents the *conflictless configuration* pattern, where only internal and external transition are possible (no confluent transition).
- Figure 8(c) presents the *interruptless and conflict-less configuration pattern*, where an only internal transition happens.
- Figure 8(d) presents the *passive configuration pattern*, where only external transitions are possible.
- Figure 8(e) presents the *interruptless passive configuration*, no transition (whether external, internal or confluent) is possible.

#### 4.3. Patterns for hierarchical composition

None of the patterns defined in the previous section takes care of the case of HiLLS composed automata. In order to handle this case, we proceed as follows:

- (1) A feedback loop location transition is used in UPPAAL to semantically translate the DEVS simulation protocol, according to which, when a HiLLS component sends a message, the composed model is the one to first receive that message, before it forwards it to the appropriate recipients of the message.
- (2) Messages are systematically labeled in UPPAAL with the name of the sender/receiver components. That way, when a message is sent by a HiLLS component, its encapsulating HiLLS model identifies the origin of the message, and with the composition information, transforms it to be a message tagged with the name of the recipient.

The composition steps described above is illustrated in Figure 9. The interruptless passive configuration pattern corresponding to a composed HiLLS model translates into a single location in UPPAAL, in conformance with the pattern of Figure 8(e). It is assumed that this composed model has a component named *sender* (therefore, all messages sent from or received by any location that corresponds to a configuration of the *sender* component are tagged in UPPAAL with *< sender>*), and a component named *receiver* (therefore, all messages sent from or received by any location that corresponds to a configuration of the *receiver* component are tagged in UPPAAL with *< receiver>*). The location of the composed HiLLS has a feedback loop such that if a message is sent by the sender component, it is intercepted by this location, which



Figure 8. Variants of the semantics pattern for HiLLS configurations. (a) Interruptless configuration pattern; (b) Conflictless configuration pattern; (c) Passive configuration pattern; (d) Interruptless conflictless active configuration; (e) Interruptless passive configuration.

in turn will emit a message with the same content but tagged with the identity of the receiver component (we know that the composition information is defined in the configuration's property).

Another way to address the case of HiLLS composed automata is to apply the "closure under composition" property of DEVS, which establishes that any coupled DEVS model has a corresponding atomic model. That way, any coupled model can be translated into an equivalent atomic model, and doing this would avoid the need to use the pattern introduced here. However, such an approach can be error-prone if not automated, as well as time-consuming for very complex systems hierarchies. In a given situation, the choice of either using the pattern introduced here or flattening the HiLLS composed automata before translating it into UPPAAL depends on how

practical would be the application of the closure under composition property.

#### 4.4. HiLLS to UPPAAL transformation with Atlas Transformation Language (ATL)

We automate the HiLLS-to-UPPAAL transformation by implementing the general configuration pattern and its variants as Atlas Transformation Language (ATL) rules. ATL<sup>17</sup> is a model transformation language specified as both a metamodel and a textual concrete syntax. ATL follows the model transformation process that takes a source model in a specific form as inputs and outputs another form of the target model according to a set of predefined rules. ATL snippets of HiLLS-to-UPPAAL rules are detailed in ANNEX B.



**Figure 9.** Semantic pattern of message transmission between two components by the composed model.

#### 5. HiLLS-based requirement specification

In the context of a HiLLS-based systems engineering, the sequence of configurations visited during execution describes the behavior of a system. Hence, a temporal logic can be used for the specification of, and reasoning with, the behavior of an ideal system. This behavior of the ideal system can serve as the metamodel that specifies the required behavioral properties of the real system. Therefore, with the help of verification techniques such as model checking, <sup>18</sup> we can verify whether or not a given model of the real system satisfies the required properties.

Good candidates for the description of temporal property requirements exist, such as Linear Temporal Logic (LTL), <sup>19</sup> or Computation Tree Logic (CTL), also known as branching temporal logic. <sup>20</sup> However, it is common knowledge that dealing with such formalism is usually non-trivial. It takes some level of expertise in handling the idioms of logic and discrete mathematics to correctly read and/or write complex requirement properties. Lack of this expertise has been widely acknowledged by formal methods researchers as one of the main inhibitors to the wide adoption of formal verification tools.

In an effort to proffer a solution to this problem, Dwyer et al.<sup>21</sup> hypothesized that the experience base of experts in specification formalisms could be captured in parameterized patterns in formalism-independent formats to allow for systematic mapping to equivalent representations in

some known specification formalism. They argued that this could be an easy way to transfer the experiences of experts in the domain to emerging practitioners and potential users.

Dwyer et al. were inspired by the successes that had been recorded with the use of design patterns to provide guidance on the best ways to language features to solve recurring problems by documenting tested solutions to such problems in patterns that can be easily reused to solve similar problems. With this, they envisioned the success of a pattern-based approach to the formal specification of properties of finite-state systems for verification. The output of their research was the recognition of some commonly occurring requirement property patterns from a collection of over 500 property specifications they collected from about 35 sources comprising academia and industry. They then proposed parameterized templates for the recognized property patterns in five property specification formalisms, including LTL, CTL, and Timed Computation Tree Logic (TCTL), which some other researchers later reproduced in additional formal methods' languages. 22,23

We propose to use variants of the elements of HiLLS for expressing graphically the templates suggested by Ferro. <sup>21</sup> We believe that uniformity of notations in both system and requirement models, due to the use of a pivotal language, will aid the user's specification and understanding of required temporal properties for complex systems. Similar benefits have motivated Meyers et al. <sup>24</sup> and Klein and Giese<sup>25</sup> to propose a framework to support the use of domain-specific notations for specifying properties in Domain-Specific Languages (DSLs).

To express the temporal properties, we propose basic notations (Figure 10) as the building blocks to specify temporal properties based on Dwyer's property patterns:

• The universal existence configuration notation (Figure 10(a)) is a generic representation for any configuration that matches the set of information given by the notation (name, or/and predicates). In



**Figure 10.** Building blocks for property patterns representation in HiLLS. (a) Universal existence; (b) Eventual existence; (c) Absence; (d) Bounded existence; (e) Implication; (f) Next; (g) Concurrency.

addition, this pattern specifies that all configurations visited during the lifetime of a system within a given scope (to be defined) must match the set of information given by the pattern.

- The eventual existence configuration notation (Figure 10(b)) is a similar generic representation, with the difference that it only requires at least one of the configurations visited within a given scope (to be defined) must match the set of information given by the pattern.
- The absence configuration notation (Figure 10(c)) is also defined similarly, with the difference that it requires that any of the configurations visited within a given scope (to be defined) must match the set of information given by the pattern.
- The bounded configuration notation (Figure 10(d)) is defined the same generic way, with the difference that it requires the configurations visited within a given scope (to be defined) must match the set of information given by the pattern only a bounded number of times. The lower (respectively upper) bound is indicated in the lower (respectively upper) compartment of the circle at the right-hand side of the generic configuration. The default value (i.e., when not indicated) for the lower (respectively upper) bound is 1 (respectively + ∞).
- The implication notation (Figure 10(e)) relates two generic configuration notations in that the matching of the first one implies the matching of the second.
- The immediate implication notation (Figure 10(f)) is similar, with the difference that the implied configuration must be matched at the next transition of the system.
- The concurrency notation (Figure 10(f)) corresponds to the logical AND between two generic configurations.

#### 5.1 Property scope notations

Table 1 presents the graphical notations introduced in HiLLS to support the property scopes defined in Ferro.<sup>21</sup> As a temporal property specification is an abstract assertion on a segment of the execution of a system, we denote the entire execution by the elements between the initial configuration (solid ball) and final configuration (bull's eye) symbols. Each of the scopes describes the segment of the entire execution within which the specified property pattern (represented by dotted lines) must hold. Thus, to use any of the scope templates, we replace the dotted lines with the property pattern to be checked.

The scopes are:

 "Globally" scope, as the name implies, specifies that a property should hold throughout the execution of a system.

- "Before R" (respectively "After R") scope specifies that a given property must hold before (respectively after) the occurrence of a specified property R.
- "Between Q and R" implies that a given property must hold after the occurrence of Q and before R where it is certain that R will eventually occur.
- "After Q until R" has a similar implication with "Between Q and R" except that, in the former, it is not certain whether R will occur or not.

Note that the transitions between the generic configurations are abstract transitions without specific operations, triggers, or output events. Hence, they do not specifically indicate any of the three kinds of configuration transition.

#### 5.2 Property pattern notations

Dwyer et al. have classified property patterns into two categories: occurrence and order, to describe properties on the occurrences or non-occurrence of properties, and relative order of properties respectively within the segment of execution defined by the associated scopes.

Occurrence patterns include:

- Absence (which specifies properties that must never occur within the specified scope);
- Universality (which specifies properties that must continuously occur within the specified scope);
- Existence (which specifies properties that must occur at least once within the specified scope); and
- Bounded existence (which specifies the maximum possible number of occurrences of certain properties within the specified scope).

#### Order patterns include:

- Precedence (which specifies a cause and effect relationship between two properties such that the occurrence of one must always have been preceded by the occurrence of the other within the specified scope):
- Response (which specifies a stimulus and response relationship between two properties such that the occurrence of one must always eventually be followed by the occurrence of the other within the specified scope);
- Chain precedence (which specifies a variant of the precedence pattern with m-cause to n-effect where m, n ∈N); and
- Chain response (which specifies a variant of the response pattern with m-stimulus to n-response where  $m, n \in N$ ).

Table 2 presents graphical notations introduced in HiLLS to support these patterns. The basic notations support directly the Absence, Universality, Existence, and

Table 1. Property scope notations in HiLLS.

#### Descriptions Property scope notations The property pattern (to replace the dotted lines) must be satisfied in every configuration throughout the execution between the initial and final configuration. Globally The property pattern (to replace the dotted lines) must be satisfied R label before a transition into a configuration matching R. R predicate Before R The property pattern (to replace the dotted lines) must be satisfied R label after a transition into a configuration matching R. R predicate After R The property pattern (to replace the dotted lines) must be satisfied O label R label after a transition into a configuration matching Q and before a Q predicate R predicate transition into a configuration matching R. Between Q and R The property pattern (to replace the dotted lines) must be satisfied after a transition into a configuration matching Q, and continue to Q label hold until a configuration matching R occurs. If R does not occur, Q predicate then the scope of the specified pattern continues until the end of R label execution. R predicate After Q until R

Bounded existence patterns. They are combined with additional symbols to support the remaining property patterns. Notice that the circle used in the precedence patterns can be seen as a mnemonic indication of the required property in an implication relationship (e.g., in S precedes R, S is required anytime R occurs, while in R responds to S, R is required anytime S occurs).

#### 5.3 Patterns and scopes for composed models

To extend these notations to composed HiLLS models, we allow the requirements specification of such models to make reference to the generic configurations of their components by tagging them with the name of the corresponding components, as indicated by Figure 11. The relationships defined in Table 2 still hold for the elements of Figure 11. Consequently, requirements can be specified for HiLLS composed models, either by using generic configuration notations derived from its configuration transition diagram or by using the ones derived from the configuration transition diagrams of its component models.

#### 5.4 Mapping to TCTL

The requirements specifications can be mapped onto TCTL (and many other temporal formalisms), such that once the user has a HiLLS-specified requirement model,



**Figure 11.** Generic configuration specification of a HiLLS composed model. (a) Universal existence for component property; (b) Eventual existence (for idem); (c) Absence (for idem); (d) Bounded existence (for idem).

**Table 2.** Property pattern notations in HiLLS.



the corresponding logic-based queries can be generated. There exist tools to automatically check such queries against the system model. We use the UPPAAL tool for that purpose. ANNEX C gives for each of the property patterns, the corresponding TCTL/CTL specifications in the context of the scope patterns.

#### 6. HiLLS-based verification framework

Systems properties can be expressed at different levels of abstraction. At higher levels, requirements resemble

general principles and global expectations, for which there is no tool for automated verification. At the lower levels, requirements are detailed such that formal tools can be used, but this entails mathematical skills that are not commonly shared. We suggest a layered approach to bridge the gap between these extremes, as shown by Figure 12's right-hand side. In this organization, properties at a given level can be expressed in terms of properties at the immediate lower level. We consider three levels of abstraction:

(1) At the higher level are conceptual properties, such as fairness (also known as starvation-freedom),



Figure 12. HiLLS-based formal verification framework.

deadlock-freedom (also known as progress), termination, real-time correctness...

- (2) The medium level is where the user needs to reduce a higher-level property to either a safety property, or a liveness property, or a combination of both properties. In a generic way, Safety specifies that "Something bad will never happen," while Liveness specifies that "Something good will eventually happen." For example, deadlock-freedom can be expressed either as repeated liveness or safety or safety termination can be expressed as liveness to some desired end and fairness can be expressed either as repeated liveness or safety —e.g., in the mutual exclusion property, having always at most one process in its critical section is a typical safety property, where the bad thing is that more than one process is in its critical section.
- The lowest level is where Safety and Liveness are expressed as Reachability properties. A reachability property states that some particular situations can be reached. If P is the something in Safety, then "Something bad will never happen" translates to "Never P." If Q is the something in Liveness, then "Something good will eventually happen" translates to "Eventually Consequently, both are reachability problems. The user needs to place them within a given scope (e.g., the entire lifetime of the system, or a given lifetime window). The resulting requirement can be graphically captured using the notations we have introduced and automatically translated to logic queries that a formal tool can check.

Figure 12 depicts the full process of HiLLS-based visual modeling and the UPPAAL-based verification framework. On one side, HiLLS offers visual modeling means to capture the structure and behavior of the system. The patterns defined allow us to translate such a model into a UPPAAL TA. On the other side, the user can start with a high-level elicitation of requirements, then reduce it to an intermediate level of property analysis, and then a low level of reachability. Then the extended notations to HiLLS offer a visual means to capture the resulting requirements model. Rules defined in ANNEX C translate such a model into TCTL statements, which can directly be expressed as UPPAAL queries. The UPPAAL tool allows to check the queries against the TA model.

#### 7. Application

To illustrate the application of our framework, let us capitalize on the well-known automated unmanned railway level crossing system described in Figure 13.

The crossing is guarded by a gate, which is used to close the road when a train is crossing. Two sensors, one located upstream of the crossing, and the other downstream, are used to detect the arrival and exit of a train. The two sensors communicate the entrance and the exit of a train to the controller. The control system receives remote signals from the sensors, and remotely closes and opens the gate.

#### 7.1. HiLLS-based system modeling

Figure 14 shows the HiLLS model of the Crossing system as drawn in HGE. The entire system is a composition of



Figure 13. Automated unmanned railway level crossing system.

five system components. These components are individually detailed in ANNEX D.

The entire system has a unique passive configuration labeled Network which depicts the relationships between components, and which translates the static nature of the composition. The predicate of the Network configuration provides the coupling information between the components, i.e., the Train's output port "Out" is connected to both the sensors' and the Controller's input ports "In", while the Controller's output port "Out" is connected to the Gate's input ports "In".

Figure 15 presents the corresponding UPPAAL Timed Automata, using the semantic pattern defined in Figure 9. Semantic translations of all the HiLLS component models into corresponding UPPAAL automata using the configuration pattern variants previously defined are displayed in ANNEX E.

The composed system, while in its unique location Network<sub>curse</sub>, receives signals from some components and translates them into signals to other components:

- If approachTRAIN is received from Train, then approachENTRANCESENSOR is sent to Entrance\_Sensor and approachCONTROLLER is sent to Controller.
- If *openCONTROLLER* is received from Controller, then *openGATE* is sent to Gate.
- If closeCONTROLLER is received from Controller, then closeGATE is sent to Gate.
- If *exitTRAIN* is received from Train, then *exitEXITSENSOR* is sent to Exit\_Sensor and *exitCONTROLLER* is sent to Controller.

#### 7.2 HiLLS-based requirements specification

Our high-level requirements knowledge is that such a system has security concerns (among others), as regards to vehicles and pedestrians crossing the level by the road. We do not want users to be crushed by a high-speed train. We then reduce this security concern to "something bad will never happen" (mid-level Safety requirement), where something bad is "gate open while train crossing." The corresponding low-level requirements (i.e., scope and properties elucidated) are given by Figure 16.

As shown by Figure 16, three cases can be considered:

(1) The requirement is expressed as a specific configuration of a model. While Figure 16(a) requires



Figure 14. HiLLS model of the crossing system.



Figure 15. UPPAAL timed automata of the crossing system.

that the gate must eventually open, Figure 16(b) requires that the train must never cross the level.

- (2) The requirement is expressed as a predicate that one or more configurations can satisfy. Figure 16(c) requires that the gate must be in a passive configuration at least twice, while Figure 16(d) requires that whenever a train approaches, it crosses eventually.
- (3) The requirement is defined over multiple components of a composed model. Figure 16(e) requires that always the gate must be closed when a train is crossing, while Figure 16(f) requires that always the crossing of a train must be preceded by the closing of the gate.

#### 7.3. HiLLS-based system verification and validation

Figure 17 shows how the requirement "Whenever a train is crossing, the gate is closed" translates to UPPAAL query, and the failure of the checking. This result reveals

that the system is not safe, as there exist cases where the train is crossing and the gate is open, which violates the safety property.

A known solution to this crossing system is to protect the crossing level by a traffic light that receives information to turn red or green from the controller. The controller also controls the opening and the closing of the gate. This solution has easily been modeled, verified, and validated in the HiLLS framework.

#### 8. Conclusion

This paper proposes a framework to support a full system verification process, using the High Level Language for Systems Specification (HiLLS) as a visual pivotal formalism. The process comprises the specification of both the discrete-event behavior of the system of interest and the temporal requirements to be checked against it. As HiLLS provides a graphical concrete syntax to the well-known DEVS formalism, the latter provides the semantic domain for the discrete-event simulation of HiLLS-specified models. To extend HiLLS capabilities to requirements specification, we adopted concepts from a pattern-based classification of Temporal Logic specifications of commonly occurring temporal requirements, for which we provided graphical notations using HiLLS syntactical elements. Well-defined transformation patterns allow us to make HiLLS specifications amenable to UPPAAL checking, where at one side the system model is turned to a UPPAAL Timed Automaton and the requirements model is turned to UPPAAL queries.

We agree with the belief that the definition and use of high-level abstractions in writing formal specification is an important factor in making automated formal methods, specifically finite-state verification tools, more suitable. Therefore, providing graphical notations to describe



**Figure 16.** HiLLS-based requirements specifications for the crossing system. (a) The gate eventually opens; (b) The train never crosses the level; (c) The gate passivates at least twice; (d) Always, a train approaching eventually crosses; (e) Whenever a train is crossing, the gate is closed; (f) Gate closing always precedes train crossing.



Figure 17. "Whenever a train is crossing, the gate is closed": Not satisfied.

systems and their requirements is a step toward bridging the gap between system experts and analysis experts. Moreover, having a highly communicable concrete syntax and multiple semantic domain mappings achieves the aim of providing a pivotal formalism for multiple analysis approaches, including the formal analysis of system properties without the need to run time-consuming experiments.

The proposed framework is unique in supporting a full system verification process based on the graphical modeling of both the system of interest and the requirements to be checked, using a drag-and-drop editor.

Much remains to be done for large-scale adoption, which we target as future work, including:

- The distribution of the HiLLS editor as an Eclipse plugin;
- The development of automated transformation engines for more temporal logic formalisms (other than TCTL), in order to allow the use of model checking tools other than UPPAAL; and

 The development of connectors from the HiLLS editor to existing DEVS tools (see http://www.sce.carleton.ca/faculty/wainer/standard/tools.htm, last accessed on 28/02/2020).

#### **ANNEX A: DEVS formalism**

An atomic DEVS model is defined by the n-uple:  $\langle X, Y, S, \delta_{int}, \delta_{ext}, \delta_{conf}, \lambda, ta \rangle$ , where

- X, Y, and S are, respectively, the input set, output set, and state set (at any time, the system modeled is in one of the possible states)
- ta:  $S \rightarrow \Re_0^{+\infty}$  is the time advance function (i.e., it gives the lifespan of each state), with  $\Re_0^{+\infty}$  designating the set of non-negative real numbers, including  $+\infty$
- δ<sub>int</sub>: S → S is the internal transition function (i.e., it is triggered only when the elapsed time in the system's current state s<sub>curr</sub> has reached ta(s<sub>curr</sub>) without the system being disturbed by any receipt of input)

- λ : S → Y is the output function (i.e., it computes the output of the system, each time an internal transition is occurring)
- $\delta_{ext}: Q \times X \to S$  is the external transition function (i.e., it is triggered only when the system receives an input, while the elapsed time in the system's current state  $s_{curr}$  has not reached  $ta(s_{curr})$ , and  $Q = \{(s,e) \mid s \in S, 0 \leqslant e < ta(s)\}$  is called the total state
- δ<sub>conf</sub>: S × X → S is the confluent transition function (i.e., it is triggered only when the system receives an input at exactly the time that the elapsed time in the system's current state s<sub>curr</sub> has reached ta(s<sub>curr</sub>))

The operational semantics of an atomic DEVS model is informally described as follows: at the start, the systems are in an initial state and remain there until the time specified by ta is exhausted or until input event is received. In the former case, an internal transition function occurs then the system switches to another state after sending output event as defined by the output function  $\lambda$ . In the latter case if an input event is received before the specified time, then the external transition function is applied. When a collision occurs, i.e., an external event is received concurrently with the elapsed time equal to the time specified by the time advance function, the confluent function is applied in such a way that the system sends output value and changes to a new state.

A coupled DEVS model is a structure:  $\langle X_{self}, Y_{self}, \{M_d\}_{d \in D}, \{I_d\}_{d \in D}, \{Z_{i,j}\}_{i \in D \cup \{self\}, j \in Ii} \rangle$ , where

- X<sub>self</sub> and Y<sub>self</sub> are defined the same way X and Y are for atomic models (self being here a reference to the coupled model, while component models are referred to using indices such as i, j or d)
- D is the set of component references (thus, not including self)
- M<sub>d</sub> is the component model referenced by d, an atomic or a coupled model, with X<sub>d</sub> and Y<sub>d</sub> as respectively its input and output set
- I<sub>d</sub> is the influence set of component model d, i.e., all other models sending input to d
- Z<sub>self,d∈Iself</sub>: X<sub>self</sub>→ X<sub>d</sub> are the external input transfer functions, which determine how inputs received by self are translated into inputs to component models influenced by self
- $Z_{d/self \in Id,self}: Y_d \rightarrow Y_{self}$  are the external output transfer functions, which determine how outputs sent by component models influencing self are translated into outputs of self
- $Z_{i\in D, j\in D-\{i\}}: Y_i \rightarrow X_j$  are the internal transfer functions, which determine how outputs sent by component models are translated into inputs to component models they influence

## ANNEX B: ATL snippets of HiLLS to UPPAAL transformation

```
rule HSystemPorts2UPPAALCha {
  from
       hillsPort: HiLLS!Port
  to
       uppaalcha: UPPAAL!Channels (
       Inchannel < - hillsPort.portName.input,
       Inchannel < - hillsPort.portType.port</pre>
       Name.toString(),
       Ochannel < - hillsPort.portName.output,
       Ochannel < - hillsPort.portType.
       concat(uppaalcha)
)
rule HiLLSDec2UPPAALDec{
  from
     hillsDecl: HiLLS!Variable
   to -HiLLS Declaration -> UPPAAL Delaration
     uppaalDec :UPPAAL!Declaration(
     name < - hillsDecl.variableName,
     type < - hillsDecl.variableType
rule HiLLSConfig2UPPAALLocation{
     hillsConfig: HiLLS!Configuration
  to -HiLLS Configuration -> UPPAAL Location
      uppaalLoc: HiLLS!Configuration (
     stateID < - hillsConfig.label,
     property < - hillsConfig.properties,
     timeAdvance < - hillsConfig.sojournTime
rule HSystemPorts2UPPAALCha {
  from
     hillsPort: HiLLS!Port
  to
     uppaalcha: UPPAAL!Channels (
       Inchannel < - hillsPort.portName.input,
       Inchannel < - hillsPort.portType.portName.
       toString(),
       Ochannel < - hillsPort.portName.output,
       Ochannel < - hillsPort.portType.concat
       (uppaalcha)
rule InitialConf2InitialLoc{
     hillsIni: HiLLS!InitialConfiguration
     uppaalIni: UPPAAL!InitialLocation (
     name < - hillsIni.startingCong.label
```

```
rule Configuration2Location {
    from
        hillsConf : HiLLS!Configuration
    to
        uppaalLoc : UPPAAL!Location (
        name < - hillsConf.label,
        invariant < - hillsConf.sojournTime,
        guard < - hillsConf.properties,
        update < - hillsConf.activities
    )
}</pre>
```

## **ANNEX C: TCTL/CTL** templates for occurrence property patterns

Variables p, q, and r, are user-defined properties. The  $\diamondsuit$ ,  $\Box$ , and  $\circ$  operators are, respectively, the eventually, always, and next operators. The w operator is the weak

until operator which may be related to the strong until operator (Y) using any of the following equivalences:

$$pwq = (\Box p) \lor (pYq)$$
$$pwq = \diamondsuit(\neg p) \Rightarrow (pYq)$$
$$pwq = pY(q \lor \Box p)$$

In addition to the logical and temporal operators used in LTL, CTL supports the use of the *existential path quantifier*  $\exists$  (resp. *universal path quantifier*  $\forall$ ) for the specification of properties that must be satisfied by *some* (resp. *all*) computations starting in a state of interest. For example,  $\forall \Diamond$ p requires that  $\Diamond$ p holds in all paths of executions starting from the state of interest, while  $\exists \Diamond$ p requires that  $\Diamond$ p holds in at least one path of executions starting from the state of interest.

Readers may refer to Pnueli<sup>18</sup> for more details on basic temporal operators, as well as a good introduction to LTL and CTL.

#### Absence(p is false)

Globally  $\forall \Box (\neg p)$ Before r  $\forall [(\neg p \lor \forall \Box (\neg r)) w \ r]$ After q  $\forall \Box (q \Rightarrow \forall \Box (\neg p))$ 

Between q and r  $\forall \Box (q \land \neg r \Rightarrow \forall [(\neg p \lor \forall \Box (\neg r)) \ w \ r])$ 

After q until r  $\forall \Box (q \land \neg r \Rightarrow \forall [\neg pw \ r])$ 

#### Existence (p becomes true)

Globally  $\forall \Diamond p$ Before r  $\forall [\neg rw (p \land \neg r)]$ After q  $\forall [\neg qw (q \land \forall \Box (p))]$ Between q and r  $\forall [\neg q \land \neg r \Rightarrow \forall [\neg rw (p \land \neg r)])$ After q until r  $\forall \Box (q \land \neg r \Rightarrow \forall [\neg r\Box (p \land \neg r)])$ 

#### **Bounded Existence** (b occurs at most n times)

Globally  $\neg \exists \Diamond (\neg p \land \exists \circ (p \land \exists \Diamond (p \land \exists \circ (p \land \exists \circ (p \land \exists \circ (p))))))$ 

 $Before \ r \qquad \neg \exists [\neg r \Box \ (\neg p \land \neg r \land \exists \circ (\ p \land \Box \ [\neg r \Box \ (\neg p \land \neg r \land \exists \circ (\ p \land \exists [\neg r \Box \ (\neg p \land \neg r \land \exists \circ (\ p \land \neg r))]))]))]$ 

After  $q = \neg \exists [\neg q \Box (\dot{q} \land \exists \diamond (\neg p \land (\neg$ 

Between q and r  $\forall \Box (q \Rightarrow \neg \exists [\neg r \Box (\neg p \land \neg r \land \exists \circ (p \land \exists [\neg r \Box (\neg p \land \neg r \land \exists \circ (p \land \neg r \land \exists (p$ 

#### Universality (p is true)

Globally  $\forall \Box (p)$ 

Before r  $\forall [(p \lor \forall \Box (\neg r)) \text{ wr}]$ After q  $\forall \Box (q \Rightarrow \forall \Box (p))$ 

Between q and r  $\forall \Box (q \land \neg r \Rightarrow \forall [(p \lor \forall \Box (\neg r)) wr])$ 

After q until r  $\forall \Box (q \land \neg r \Rightarrow \forall [pwr])$ 

#### Precedence (s precedes p)

Globally  $\forall [\neg pws]$ 

Before r  $\forall [(\neg p \lor \forall \Box (\neg r)) \text{ w } (s \lor r)]$ After q  $\forall [\neg q \text{w } (q \land \forall [\neg p \text{ws}])]$ 

Between q and r  $\forall \Box (q \land \neg r \Rightarrow \forall [(\neg p \lor \forall \Box (\neg r)) \ w \ (s \lor r)])$ 

After q until r  $\forall \Box (q \land \neg r \Rightarrow \forall [\neg pw (s \lor r)])$ 

(continued)

#### Continued

#### Response (s responds to p)

Globally  $\forall \Box (p \Rightarrow \forall \Diamond (s))$ 

Before r  $\forall [((p \Rightarrow \forall [\neg r \Box (s \land \neg r)]) \lor \forall \Box (\neg r))wr]$ 

After q  $\forall [\neg qw (q \land \forall \Box (p \Rightarrow \forall \Diamond (s))]$ 

Between q and r  $\forall \Box (q \land \neg r \Rightarrow \forall [((p \Rightarrow \forall [\neg r \Box (s \land \neg r)]) \lor \forall \Box (\neg r)) \text{ wr}])$ 

After q until r  $\forall \Box (q \land \neg r \Rightarrow \forall [(p \Rightarrow \forall [\neg r \Box (s \land \neg r)])wr])$ 

#### Precedence chain (p precedes s, t)

Globally  $\neg \exists [\neg p U (s \land \neg p \land \exists \circ (\exists \diamondsuit(t)))]$ 

Before r  $\neg \exists [(\neg p \land \neg r) \cup (s \land \neg p \land \neg r \land \exists \circ (\exists [\neg r \cup (t \land \neg r)]))]$ After q  $\neg \exists [\neg q \cup (q \land \exists [\neg p \cup (s \land \neg p \land \exists \circ (\exists \circ (t)))])]$ 

Between q and r  $\forall \Box (q \Rightarrow \neg \exists [(\neg p \land \neg r) \ \cup (s \land \neg p \land \neg r \land \exists \bigcirc (\exists [\neg r \cup (t \land \neg r \land \exists \bigcirc (r))]))])$ 

After q until r  $\forall \Box (q \Rightarrow \neg \exists [(\neg p \land \neg r) \cup (s \land \neg p \land \neg r \land \exists \circ (\exists [\neg r \cup (t \land \neg r)]))])$ 

#### Precedence chain (s, t precedes p)

Globally  $\neg \exists [\neg sUp] \land \neg \exists [\neg pU (s \land \neg p \land \exists \circ (\exists [\neg tU (p \land \neg t)]))]$ 

Before  $r = \neg \exists [(\neg s \land \neg r) \cup (p \land \neg r)] \land \neg \exists [(\neg p \land \neg r) \cup (s \land \neg p \land \neg r \land \exists o (\exists [(\neg t \land \neg r) \cup (p \land \neg t \land \neg r)]))]$ 

After  $q = \neg \exists [\neg qU(q \land \exists [\neg sUp] \land \exists [\neg pU(s \land \neg p \land \exists \circ (\exists [\neg tU(p \land \neg t)]))])]$ 

Between q and r  $\forall \Box (q \Rightarrow \neg \exists [(\neg s \land \neg r) U(p \land \neg r \land \exists \diamondsuit(r))]) \land \neg \exists [(\neg p \land \neg r) U(s \land \neg p \land \neg r \land \exists \circ (\exists [(\neg t \land \neg r) U(p \land \neg t \land \neg r \land \exists \diamondsuit(r))]))])$ 

After q until r  $\forall \Box (q \Rightarrow \neg \exists [(\neg s \land \neg r) \cup (p \land \neg r)] \land \neg \exists [(\neg p \land \neg r) \cup (s \land \neg p \land \neg r \land \exists \circ (\exists [(\neg t \land \neg r) \cup (p \land \neg t \land \neg r)]))])$ 

#### Response chain (s, t respond to p)

Globally  $\forall \Box (p \Rightarrow \forall \Diamond (s \land \forall \circ (\forall \Diamond (t))))$ 

Before r  $\neg \exists [\neg rU (p \land \neg r \land (\exists [\neg sU r] \lor \exists [\neg rU (s \land \neg r \land \exists \circ (\exists [\neg tUr]))]))]$ After q  $\neg \exists [\neg qU (q \land \exists \diamond (p \land (\exists \Box (\neg s) \lor \exists \diamond (s \land \exists \circ (\exists \Box (\neg t))))))]$ 

Between q and r  $\forall \Box (q \rightarrow \neg \exists [\neg r U (p \land \neg r \land (\exists [\neg s U r] \lor \exists [\neg r U (s \land \neg r \land \exists (\exists [\neg t U r]))]))])$ 

After q until r  $\forall \Box (q \Rightarrow \neg \exists [\neg r \cup (p \land \neg r \land (\exists [\neg s \cup r] \lor \exists \Box (\neg s \land \neg r) \lor \exists [\neg r \cup (s \land \neg r \land \exists \circ (\exists [\neg t \cup r] \lor \exists \Box (\neg t \land \neg r)))]))])$ 

Response chain (p responds to s, t)

Globally  $\neg \exists \diamondsuit ( s \land \exists \circ (\exists \diamondsuit ( t \land \exists \Box (\neg p))))$ 

Before r  $\neg \exists [\neg rU (s \land \neg r \land \exists (\exists [\neg rU(t \land \neg r \land \exists [\neg pUr])]))]$ After q  $\neg \exists [\neg qU(q \land \exists \land (s \land \exists (\exists \land (t \land \exists \Box (\neg p)))))]$ 

Between q and r  $\forall \Box (q \Rightarrow \neg \exists [\neg rU (s \land \neg r \land \exists (\exists [\neg rU (t \land \neg r \land \exists [\neg pUr])]))])$ 

After q until r  $\forall \Box (q \Rightarrow \neg \exists [\neg r \cup (s \land \neg r \land \exists o (\exists [\neg r \cup (t \land \neg r \land (\exists [\neg p \cup r] \lor \exists \Box (\neg p \land \neg r)))]))])$ 

### ANNEX D: HiLLS model components for the crossing system study case

The Train has five configurations. The initial one is Approaching and is finite. As such an internal transition takes place after 5.8 seconds, and takes the Train to Before\_Crossing while outputting the Approach signal. The Train stays there for 8.6 seconds as this is the travel time from being detected to entering the crossing area. Then, the Train takes an internal transition to Crossing

where it spends 5.2 seconds and then transits to After\_Crossing. An internal transition from After\_Crossing will output Exit after 2.0 seconds and transits the Train to Moving\_Away where the Train spends reasonably longer time (generated by a random function) before returning to its initial Approaching configuration. Such a loop in the Train's behavior translates the frequent passing of trains in real world, with the assumption that the inter-arrival times of trains to the crossing are distributed according to the random law indicated.



Train TA

The sensor models (i.e., Entrance\_Sensor and Exit\_Sensor) function the same way, and have, each, two configurations: Waiting and Detecting. Initially, the Sensor is Waiting, and it keeps doing so until it detects the signal Approach. It will then take an external transition to a transient configuration Detecting where it spends no time. Therefore, an internal transition immediately takes place from Detecting back to Waiting.

The Gate is initially open (configuration Up) and it remains so until it receives an input signal Close, which will cause an external transition to Lowering, a finite configuration with sojourn time of 2.3 seconds. From there, the Gate takes an internal transition to Down, where it stays until it receives an input signal Open. The Open signal transits the Gate to Raising. The Gate stays in this configuration for 2.3 seconds,



Entrance sensor TA



Exit sensor TA

the time required to open the Gate before transiting internally to Up.

The Controller model has three configurations: Inactive (initial configuration), Closing, and Opening. The Controller remains in a passive configuration until it receives a signal. Once the signal is received, the

Controller takes an external transition to Closing (if the signal received is Approach), or to Opening (if the signal received is Exit). No time is spent at the transient configurations (Closing and Opening respectively), and an internal transition takes the Controller back to Inactive while outputting or sending Open and Close signal respectively.



Gate TA

## ANNEX E: UPPAAL Timed Automata of the crossing system's components



Controller TA

#### **Funding**

This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.

#### **ORCID iDs**

Kehinde G. Samuel D https://orcid.org/0000-0002-8716-8513 Mamadou K. Traoré https://orcid.org/0000-0001-9464-6416

#### References

- 1. Bryant BR, Gray J, Mernik M, et al. Challenges and directions in formalizing the semantics of modeling languages. *Comput Sci Inform Syst* 2011; 8(2): 225–253.
- Aliyu HO, Maïga O and Traoré MK. The high-level language for systems specification: A Model-driven approach to systems engineering. *Int J Model Sim Sci Comput* 2016; 7(1): 1641003.

- 3. Zeigler BP. *Theory of Modeling and Simulation*. 1st edition. New York: John Wiley & Sons. Inc., 1976.
- 4. Aliyu HO, Maïga O and Traoré MK. A framework for discrete event systems enactment. In: *Proceedings of the 29th European Simulation and Modeling Conference -ESM'15*, EUROSIS-ETI, Leicester, UK, 2015, pp.149–156.
- Samuel KG, Maïga O and Traoré MK. Formal verification with HiLLS-specified models: A further step in multi-analysis modeling of complex systems. *Int J Model Simulat Sci Comput* 2019; 10(05): 1950032.
- Hong KJ and Kim TG. DEVSpecL: DEVS specification language for modeling, simulation, and analysis of discrete event systems. *Inform Software Technol* 2006; 48(4): 221–234.
- Büchi JR. On a decision method in restricted second-order arithmetic. In: Proceedings of the 1960 International Congress on Logic, Methodology, and Philosophy of Science, Nagel E., et al. (Eds.). Stanford University Press, Stanford, CA, 1962, pp.1–11.

- 8. Zeigler BP, Nutaro JJ and Seo C. Combining DEVS and model-checking: Concepts and tools for integrating simulation and analysis. *Int J Simulat Process Model* 2017; 12(1): 2–15.
- 9. Zeigler BP and Sarjoughian HS. *Guide to Modeling and Simulation of Systems of Systems*. Berlin, Germany: Springer Publication Company, 2012.
- Furfaro A and Nigro L. A development methodology for embedded systems based on RT-DEVS. *Innovat Syst* Software Eng 2009; 5(2): 117–127.
- Saadawi H and Wainer G. Verification of real-time DEVS models. In: Proceedings of the 2009 Spring Simulation Multiconference, Society for Computer Simulation International, San Diego, California, United State, 2009, pp.1–8.
- 12. Madlener F, Weingart J and Huss SA. Verification of dynamically reconfigurable embedded systems by model transformation rules. In: Proceedings of IEEE/ACM/IFIP 8th International Conference on Hardware-Software Codesign and System Synthesis (CODES+ISSS 2010) part of the Embedded Systems Week, Association for Computing Machinery, New York, NY, United States, 2010, pp.33–40. https://doi.org/10.1145/1878961.1878969
- Maïga O. An integrated language for the specification, simulation, formal analysis and enactment of discrete event systems. Ph.D. Thesis, Université Blaise Pascal Clermont-Ferrand II, France, 2015.
- Maler O, Manna Z and Pnueli A. From timed to hybrid systems.
   In: Proceedings of the Real-Time: Theory in Practice, REX Workshop 1992. Springer-Verlag, London, 1992, pp.447–484.
- 15. Nutaro J. Toward a theory of superdense time in simulation models. *ACM Trans Model Comput Simulat* 2020; 30(3): Article 16, 13 pages, DOI: https://doi.org/10.1145/3379489.
- 16. Jouault F, Allilaire F, Bezivin J, et al. ATL: A model transformation tool. *Sci ComputProgram* 2008; 72(1–2): 31–39.
- Baier C and Katoen JP. Principles of Model Checking. Cambridge, Massachusetts London, England: The MIT Press, 2008.
- Pnueli A. The temporal logic of programs. In: *Proceedings of the 18<sup>th</sup> Annual Symposium on Foundations of Computer Science (SFCS'77)*, IEEE Computer Society, 1730 Massachusetts Ave., NW Washington, DC, United States, 1977, pp.46–57. https://doi.org/10.1109/SFCS.1977.32
- Clarke EM, Emerson EA and Sistla AP. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans Program Lang Syst 1986; 8(2): 244–263.
- Dwyer MB, Avrunin GS and Corbett JC. Patterns in property specifications for finite-state verification. In: *Proceedings of* the 1999 International Conference on Software Engineering (ICSE-99), IEEE, Los Angeles, 1999, pp.411–420.
- Dwyer MB, Avrunin GS and Corbett JC. Property specification patterns for finite-state verification In: FMSP 1998
   Proc. 2nd workshop Formal methods in software practice,
   New York, NY, USA, 1998, pp. 7–15.
- Ferro G. AMC: ACTL Model Checker. Reference Manual. Internal Report 1994, #B4-47.
- 23. Kozen D. Results on the Propositional  $\mu$ -Calculus. *Theor Comput Sci* 1983; 27(3): 33–354.
- Meyers B, Deshayes R, Lucio L, et al. ProMoBox: A framework for generating domain-specific property languages. In:
   7th International Conference on Software Language

- Engineering (SLE), Springer, Vasteras, Sweden, 2014, pp.1–20. doi:10.1007/978-3-319-11245-9\_1
- 25. Klein F and Giese H Joint structural and temporal property specification using timed story scenario diagrams. In: Proceedings of the International Conference on Fundamental Approaches to Software Engineering, Springer Berlin Heidelberg, 2007, pp.185–199.
- 26. Behrmann D, Larsen P and Yi W. Developing UPPAAL over 15 years'. *Software Pract Ex* 2011; 41: 133–142.
- 27. Behrmann G, David A, Larsen K, et al. UPPAAL 4.0. In: *Proceedings of the 3rd International Conference on Quantitative Evaluation of Systems (QEST 2006), IEEE Computer Society*, Washington, DC, 2006, pp.125–126.
- 28. Alpern B and Schneider FB. Defining liveness. *Inform Process Lett* 1985; 21(4): 181–185.
- Callahan J, Schneider F and Easterbrook F. Automated software testing using model checking. In: *Proceeding of the* 1996 SPIN Workshop, Citeseer, Rutgers University, New Brunswick, NJ, 1996, pp.118–127.
- Maandag P. Experiments in unifying model-checking approaches. Master Thesis, Radboud University, Nijmegen, Netherlands, 2014.
- Yang L. Model checking concurrent and real-time systems: The Pat Approach. Ph.D. Thesis, National University of Singapore, Singapore, 2009.
- 32. Akhtar N. Requirements, formal verification and model transformations of an agent-based system: A case study. *Comput Eng Intell Syst* 2014; 5(3): 1–16.

#### **Author biographies**

**Kehinde Grace Samuel** is a PhD student at the African University of Science and Technology (AUST, Nigeria). She is currently working on the formal verification and validation of DEVS-based simulation models. Her research interests are modeling and verification methodologies (*keliake@aust.edu.ng*).

**Nourou-Dine Mohamed Bouaré** is a research assistant at Université des Sciences, Techniques et Technologies de Bamako (USTTB, Mali). His research interests focuses on DSL (Domain-Specific Language) engineering (nm.bouare@usttb.edu.ml).

**Oumar Maïga** is an Assistant Professor at Université des Sciences, Techniques et Technologies de Bamako (USTTB, Mali). His current research is on Model-Driven Engineering and DEVS Modeling and Simulation (oumary.maiga@usttb.edu.ml).

**Mamadou Kaba Traoré** is Full Professor at the University of Bordeaux. He is working on formal specifications, symbolic manipulation and automated code synthesis of simulation models. His more recent research interests also include the integration of Artificial Intelligence methods into Modeling and Simulation (mamadou-kaba.traore@u-bordeaux.fr).