Model Checking TLA+ Specifications

Yu, Yuan; Manolios, Panagiotis; Lamport, Leslie

doi:10.1007/3-540-48153-2_6

Cited by 183 publications

(127 citation statements)

References 13 publications

Supporting

Mentioning

115

Contrasting

Order By: Relevance

“…We have also reprogrammed the above experiment in TLA + [Lam02] and used the TLC model checker (version 3.5 of the TLA Toolbox) [YML99]. Indeed, TLA + and the B-Method share a common basis of predicate logic and set theory.…”

Section: A Performance Experimentsmentioning

confidence: 99%

See 1 more Smart Citation

Automated property verification for large scale B models with ProB

et al. 2011

View full text Add to dashboard Cite

Abstract. In this paper we describe the successful application of the ProB tool for data validation in several industrial applications. The initial case study centred on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the development contains certain assumptions about the actual rail network topology which have to be validated separately in order to ensure safe operation. For this task, Siemens has developed custom proof rules for Atelier B. Atelier B, however, was unable to deal with about 80 properties of the deployment (running out of memory). These properties thus had to be validated by hand at great expense, and they need to be revalidated whenever the rail network infrastructure changes. In this paper we show how we were able to use ProB to validate all of the about 300 properties of the San Juan deployment, detecting exactly the same faults automatically in a few minutes that were manually uncovered in about one man-month. We have repeated this task for three ongoing projects at Siemens, notably the ongoing automatisation of the line 1 of the Paris Métro. Here again, about a man month of effort has been replaced by a few minutes of computation. This achievement required the extension of the ProB kernel for large sets as well as an improved constraint propagation algorithm. We also outline some of the effort and features that were required in moving from a tool capable of dealing with medium-sized examples towards a tool able to deal with actual industrial specifications. We also describe the issue of validating ProB, so that it can be integrated into the SIL4 development chain at Siemens. • This article describes the use of our technique in three active deployments, namely the upgrading of the Paris Metro Line 1 for driverless trains, line 4 of the São Paulo metro and line 9 of the Barcelona metro. We also briefly report on experiments on the models of the CDGVAL shuttle. The paper [LFFP09] only contained the initial San Juan case study, which was used to evaluate the potential of our approach.Correspondence and offprint requests to: M. Leuschel, E-mail: leuschel@cs.uni-duesseldorf.de • In this article we describe the previous method adopted by Siemens in much more detail, as well as explaining the performance issues with Atelier B.• More comparisons and empirical evaluations with other potential approaches and alternate tools (Brama, AnimB, BZ-TT and TLC) have been conducted.• We provide more details about the ongoing validation process of ProB, which is required by Siemens for it to use ProB to replace the existing method. The validation also lead to the discovery of errors in the English version of the Atelier B reference manual.Also, since [LFFP09], ProB itself has been further improved inspired by the application, resulting in new optimisations in the kernel (cf. Sect. 3.2).

show abstract

Section: A Performance Experimentsmentioning

confidence: 99%

“…The model checker TLC (version 3.5 of the TLA Toolbox) [YML99], is written in Java and is capable of evaluating complicated predicates and finding solutions for variables. Like AnimB, TLC deals with conjuncts from left-to-right (see page 239 in Chap.…”

Section: Advantages and Difficulties Of Constraint Propagationmentioning

confidence: 99%

Automated property verification for large scale B models with ProB

et al. 2011

View full text Add to dashboard Cite

show abstract

“…The main tool supporting TLA + is the model checker tlc [45]. It can analyse system specifications in standard form written in a sublanguage of TLA + that ensures that the next-state relation can be effectively computed.…”

Section: Discussionmentioning

confidence: 99%

The Specification Language TLA+

Merz

2007

Logics of Specification Languages

View full text Add to dashboard Cite

“…3.2 since this condition cannot be evaluated unless requirements are represented formally. However, if requirements are indeed represented formally, e.g., in the language Temporal Logic of Actions (TLA) + [45], then an approach such as [81] can be used to evaluate condition (9) of Theorem 1.…”

Section: Additional Condition-enforcing Supportmentioning

confidence: 99%

Providing tool support for specifying safety-critical systems by enforcing syntactic contract conditions

Westman

Nyberg

2017

Requirements Eng

View full text Add to dashboard Cite

Functional safety standards such as IEC 61508 and ISO 26262 advocate a particularly stringent requirements engineering where safety requirements must be structured in a hierarchical manner and specified in accordance with the system architecture. In contrast to the stringent requirements engineering in functional safety standards, according to previous studies, requirements engineering in industry is in general of poor quality. Contracts theory has been previously shown to be suitable for supporting such a stringent requirements engineering effort; this support has also been implemented in tools. However, to use these contract-based tools, requirements must be formalized, which is a major challenge in industry. Therefore, to support current industrial requirements engineering practice and the stringent requirements engineering in functional safety standards, it is shown how tool support can be provided even when requirements, and also architectures, are not formalized. This is achieved by enforcing syntactic, yet formal, conditions in contracts theory. Despite the need for further validation, initial findings in an industrial case study indicate high potential in realizing the proposed support in an industrial setting.

show abstract

Model Checking TLA+ Specifications

Cited by 183 publications

References 13 publications

Automated property verification for large scale B models with ProB

Automated property verification for large scale B models with ProB

The Specification Language TLA+

Providing tool support for specifying safety-critical systems by enforcing syntactic contract conditions

Contact Info

Product

Resources

About