Methodology and Tools for Development and Verification of formal fUML Models of Requirements and Architecture for Complex Software and Hardware Systems

. The article presents models and algorithms to support end-to-end quality control of complex software and hardware systems through the implementation of the software-controlled process of development and verification of formal models of requirements and architecture of such systems, Firstly, we give the analysis of scientific publications and the normative-methodical base in the field of development and application in practice of the model-based approach is given. We establish that least provided by model, algorithmic and software solutions are issues related to the development of a complete and correct set of requirements, as well as the formalization and verification of technical projects of software and hardware systems. To solve the existing problems, we propose to develop a special unified environment for the development, modeling and testing formal models of requirements and architecture of complex software and hardware systems. These models provide an optimal set of interconnected fUML diagrams presented in ALF notation and verified in the fUML virtual machine and using SMT/SAT solvers.


Introduction
Now, when the confrontation in the political, economic and military fields is growing, one of the most important activities of the state is to ensure the safe operation of critical information infrastructure (CII). According to the Federal Law of the Russian Federation [1], CII objects are automated control systems (ACS) for  objective complexity of the task of creating a formal presentation of system requirements based on their original informal representation;  availability of a wide range of languages and tools proposed for building models of the analysis, architecture, and implementation of a system in the absence of clear and specific rules and recommendations for their application;  lack adequate tools for automated construction and execution of test scenarios for the verification of requirements and architecture. The second section provides a brief overview of scientific and technical publications, in which the described issues are considered and solved. The third and fourth sections of the article present the models and algorithms for building a formal specifications requirements. The fifth section describes the models and algorithms for developing and verification the architecture of CSHS. The sixth section presents the methodology for constructing test scenarios to verify models of requirements, architecture, and implementation of CSHS using the SAT/SMT solvers.

Overview of the Current Normative-methodical Base and Scientific Publications in the Field of Development and Verification of CSHS
The exceptional relevance of the problems described above has led to the great attention and efforts taken by international and national organizations, scientific and professional communities, development teams and individual researchers to solve them. In the authors '  The fundamental paper written by Dragan Milicev, the Serbian scientist and MBSE expert, Professor of University of Belgrade [5], outlines the principles and methods of applying modern information technologies based on the object-oriented paradigm and model-based approach for the industrial development of CSHS. This is especially valuable in the context of the problems considered in this article. Also, the paper provides recommendations and examples of using the fundamental UML (fUML) language, which is used to create and verify executable formal UML models. In the monograph [6], the techniques and methods of applying the constructs and mechanisms of the SysML language are described in a summary and illustrated form containing practical examples, the idea and principles of this language are explained. This monograph is written by the group of active developers of many OMG methodical documents and specifications, and those who apply this knowledge in practice at such companies as Lockheed Martin and Raytheon Company: S. Friedenthal, A. Moore, R. Steiner. Useful information on applying the SysML language mechanisms for designing CSHS is presented in the monograph by Lenny Delligatti [7] (Lockheed Martin Corporation). From among all publications of Russian organizations and researchers, it is worth to mention the papers by the ISP RAS team dealing with both theoretical and practical aspects of these problems. The theoretical foundations of the design and verification of CSHS based on a category-theoretic approach to metaprogramming are described in publications written by S. Kovalev, the leading ISP RAS researcher [8] [9]. They present the ways to apply category theory to solve the problem of representing heterogeneous software engineering technologies in a common format that would be convenient for their integration and coordination in the software system design life cycle. Particular attention is paid to such modern technologies as model checking development and aspect-oriented programming, for which universal categorytheoretic semantic models are built. One of the modern means to describe the architecture of software and hardware systems is Architecture Analysis & Design Language (AADL) [10]. On the basis of this language, the system for supporting the design and verification of MASIW onboard aircraft systems developed by ISP RAS together with GosNIIAS as part of the state program for the development of Integrated Modular Avionics (IMA) is being actively used. When developing MASIW, the following libraries and tools were used: Eclipse Modeling Framework, Graphical Editing Framework, Eclipse Team Providing, SVN Team Provider, GIT Team Provider. As noted in the article [11], the MASIW tools allow solving the following tasks:  creation, editing, and management of models of hardware-software complexes (HSCs) using the AADL language;  analysis of models for the sufficiency of hardware resources and interface consistency, the evaluation of the characteristics of projected data networks built in accordance with the AFDX standard (Avionics Full-Duplex Switched Ethernet);  distribution of functional applications over computation modules, taking into account the limitations of the hardware platform resources and the requirements for the reliability and security of HSCs;  generation of computer code and configuration data for VxWorks653 RT OS and termination units of the AFDX network. An example of using the special extension of the AADL language -Error Model Annex (EMA) and the MASIW tool for modeling and analyzing the security of the designed HSCs is presented in [12]. The model is created using EMA, in which a finite-state machine (FSM) is developed for each component of HSCs. The states of FSM are normal states and emergencies, including dangerous and failure situations of this component. The effect of system component failures on other components is described by specifying the logical conditions for the propagation of errors between different types of components in different states, taking into account the probabilities of their occurrence. The following algorithms are used for risk analysis: Fault Tree Analysis, Failure Mode and Effects Analysis, Markov Analysis. The implementation of the approach described in this article helps to identify and eliminate the security-critical defects in design solutions at the design stage. The ISP RAS team has developed the technology called UniTESK (Unified TEsting Specification based toolkit) for testing software interfaces. This is a unified set of testing tools based on specifications. UniTESK is unified due to the fact that the general testing methodology and general architecture can be used to test modules using almost all programming languages. Currently, there are the UniTESK implementations for C (CTESK), C ++ (C ++ TESK), Java (JavaTESK and Summer), Python (PyTESK). The UniTESK technology has two main differences from common testing tools [13]:  UniTESK helps to describe the specifications of a software contract of modules in the form of pre-and post-conditions using the extensions of programming languages (in case of C ++ TESK, no extension is required);  instead of manual development of test cases, UniTESK allows describing a generalized scenarioa compact description of test logic that allows the test sequence generator to call each specified interface in all its uses automatically and to verify the correctness of the result for compliance with a specified post-condition. The next group of publications consists of papers devoted to the solution of particular problems of developing and verifying CSHS. The thesis written by A.V. Markov, the employee of Novosibirsk State Technical University, is devoted to the issues of automation of design and software analysis processes using the UML language and Petri nets [14]. The paper describes the software design methodology using UML sequence diagrams in the .xmi format and presents the method for their automatic convert to the .cpn format used to describe Petri nets. The result of using this method is hierarchical Petri nets being analyzed for verifying the software Samonov A.V. , Samonova G.N. Methodology and Tools for Development and Verification of formal fUML models of Requirements and Architecture for complex software and hardware systems. Trudy ISP RAN/Proc. ISP RAS, vol. 30, issue 5, 2018, pp. 123-146 128 project, which is represented in the form of UML diagrams. The following solutions presented in this paper are the most valuable in practice:  algorithm of transforming UML diagrams to Petri network;  algorithm and rules of implementing inversion in Petri nets to check the reachability of the selected network state;  algorithms and software for constructing and analyzing Petri nets to identify and eliminate defects in the developed software. The review of modern methods for automatic test generation presented in [15] is quite useful. The paper describes the following methods:  structural testing using symbolic execution;  model-based testing;  combinatorial testing;  random testing;  search-based testing. The article [16] presents the automated method for making UML sequence diagrams using the description of UML use case diagrams and class diagrams. To implement this method, it is necessary to use the ATL language and metamodels of use case diagrams, class diagrams and sequence diagrams developed by the authors of the article, as well as the rules for obtaining the third diagram from the first and second ones. The result of this transformation is a sequence diagram in the XMI format, which is then converted to the XSLT format to display a sequence diagram in a graphical editor for viewing, analysis, and making changes. The disadvantage of the proposed algorithm is the lack of automatic correction of the original models if any new changes are made to a sequence diagram. This is due to the fact that the transformations using the ATL language are unidirectional  they work with readonly source models and create write-only target models. In the work [17], experts at Shanghai University have described the approach to verify large-scale web projects by developing and analyzing the executable model of the corresponding software. To build this executable model, the authors have developed the method that uses live sequence charts (LSCs) as input data. A UML model using LSCs diagrams is transformed into a symbolic finite-state machine. Test scenarios are created by traversing a finite-state machine with the Depth-first Search method (DFS). The paper [18] describes the method of automatic generation of computer code based on the project (architectural model) of a program presented in the ALF language. Of particular interest is the conceptual scheme of the mechanism for generating computer code from the project description in the ALF format using the rules in the extended Backus-Naur (EBNF) notation). The authors point out the following advantages of the tool to transform the model of the architecture of the ATL language: the ability to describe both declarative and imperative language constructs, the presence of means to combine modules that allow creating and reusing sets of transformation rules. The result is a Java code that corresponds to the Modisco Java metamodel. The article [19] describes two methods for implementing automatic testing of realtime loaded systems using scenarios. In the first, the system is modeled as the network of timed automata (TA). In the second, it is modeled as a set of live sequence charts (LSCs) and requirements in the form of a separate LSC diagram to analyze. The authors of the article have developed temporal extensions for a subset of the core of the LSC language and defined its semantics based on tracing. The analyzed LSC diagram is transformed to its behavioral equivalent in the notation of the TA diagram. The correctness verification of a model is carried out by modeling the TA diagram in real time using Computational Tree Logic (CTL) followed by the comparison of the obtained result with the standard. Both methods are implemented with the tools of UPPAAL. The paper [20] describes the method for generating unit cases based on the architecture of a model presented in the form of UML activity diagrams. The tests are created with the SMT/SAT solvers, which analyze the control flow graph of a program presented in A Modeling Language for Mathematical Programming (AMPL). This paper proposes test coverage criteria based on control flow analysis. Particular attention is paid to mixed integer nonlinear programming, as well as to the construction of logical formulas for OCL (Object Constraint Language) constraints. One of the serious disadvantages of modern approaches is the lack of ability to take into account the composition and structure of designed systems, as well as to establish and synchronize the relations between system requirements and design elements. To eliminate these disadvantages, the paper [21] proposes to make a system design based on SysML behavioral diagrams. To verify automatically the project created in this way, it is proposed to use the following methods:  transformation of SysML activity diagrams to modular Petri nets presented in PNML (Petri Net Markup Language);  mathematics and such tools as CPN Tools and SPIN for analyzing Petri nets;  algorithm for verifying the time requirements in SysML activity diagrams, which are pre-converted to formulas of Linear Temporal Logic (LTL) using Active Temporal Requirement Language (AcTRL) developed by the authors. To create tools for the dynamic verification and validation of project behavioral models, it is proposed to use Executable Domain-specific Modeling Languages (xDSMLs) in [22]. Means based on them make it possible to monitor the states of analyzed models (transitions, events, variable values) during their execution. The new generative approach based on a multidimensional and domain-specific trace metamodel is proposed. This method helps to construct and manage execution traces for models corresponding to a specified xDSML. According to the authors of Samonov A.V. , Samonova G.N. Methodology and Tools for Development and Verification of formal fUML models of Requirements and Architecture for complex software and hardware systems. Trudy ISP RAN/Proc. ISP RAS, vol. 30, issue 5, 2018, pp. 123-146 130 this paper, this method has higher performance compared to the standard UML metamodel due to the ability to exclude redundant data from processing (for example, analyzed traces) using the mechanisms of the corresponding xDSML. To conclude the analysis of publications and the solutions presented in them, the following ideas can be summarized: 

Models and Algorithms of Formal Description of the Requirements for a System Based on the Original Informal Representation
To solve the problem of building a formal description of the requirements for automated systems and software, you must perform the following operations and procedures: 1. First, additional content control elements are developed and installed in a text editor (MS Word or Writer). These elements are XML schemas (tz_as.xsd, tz_sw.xsd.) based on a universal Requiment Interchage Format (ReqIF). XML schemas describe the composition and structure of requirements for automated systems and software defined in the relevant normative-methodical documents. 2. Then in the environment of a text editor in accordance with the established in the previous step xml schemas (tz_as.xsd and tz_sw.xsd) structured text documents are developed containing requirements to the system. 3. The next step is the automatic generation of the first version of the formal model of the set of requirements. to implement this procedure, use the metamodel shown in the Fig. 1. This metamodel is a conceptual and logical union of a use case diagram and a class diagram.

Fig.1. Comprehensive model of the use case diagram and class diagram
To develop this metamodel, the official specifications of these diagrams on the OMG website and the models proposed in publications [16] [22] [23] were used. In addition to the explicit establishment of relationships between diagram elements of these diagrams, the proposed model includes the new class  "Sentence" and excludes two classes  "Subject" and "Agent". The program implementing the generation procedure uses the xmi representation of this metamodel and developed before structured text documents containing requirements to the system. Each i-th use case is a functional requirement and is described as follows: ) , , , ( The next step in building a requirements model is to develop non-functional requirements specifications for each system function: The model built in this way is preliminary, and it is used as input data for the algorithm for building a model formal requirements in the fUML language which described in the next section.

Algorithm for Building a Formal Model Requirements
The scheme of the algorithm that implements the second stage of the procedure of building a formal requirements model using the fUML language is shown in Fig. 2. Use case diagrams (UCDs) -d_uc, class diagram (CDs) -d_class and requirements diagrams (RDs) -d_reqs are used as initial data. The analyst and future system user develop an interaction overview diagram (IOD)  d_io for each UCD (d_uc). In this diagram, the functions implemented by the system are described from the user's point of view in more detail using activity diagrams, sequence diagrams, and statechart diagrams. Formally, an interaction overview diagram can be represented as follows: ) describes the algorithm for implementing the function by the j-th block (class) of the designed software, which includes the description of main ( ) and alternative ( fia i io ) flows. Alternate flows describe the operation of programs in case of abnormal situations, such as erroneous user actions, unexpected influences from the external environment, etc. The main and alternative flows can have subordinate flows, which are described in IOD using frames with "ref". The subordinate IOD flows show the work of a program from the user's point of view and can be represented with activity diagrams, sequence diagrams or statechart diagrams depending on the features of the functioning of CSHS and ways of the interaction with the user and environment. To describe the procedure and possibility of realization of those or other threads are used pre -and post-condition. the model of requirements constructed in this way should be subjected to validation and verification procedures. The validation procedure is to assess the completeness and correctness of the set of requirements. It is carried out both by software tools and by the informal expertise of specialists in a particular subject area. Such properties of a model as consistency, systematicity, non-redundancy, security, liveliness, absence of deadlocks, impossible operations, looping are checked during verification. The verification of the requirements model is carried out through its execution and testing in the fUML virtual machine environment and analysis using SAT/SMT solvers.

. Construction algorithm of the technical project model
The description of these methods and tools is provided in sections 5 and 6.

135
The initial data are the interaction overview diagram  d_io, diagrams of quality requirements for the implementation of functions  d_reqs, class diagrams  d_class and the requirements for development technologies and operating environment.

Fig.3. Algorithm of the architecture model development
In each interaction overview diagram (d_io) searches for a reference to activity diagrams (ref_act), sequence diagrams (ref_seq) and statechart diagram (ref_sm). If such references are found, the architect is asked to build or modify the corresponding diagrams. Activity diagrams are described using control nodes (control_node: decision node, merge node, fork node, join node, interaction, interaction use); object nodes (object_node); pre-conditions and post-conditions. When constructing sequence diagrams, the additional boundary, control, and entity classes are first created, which perform the functions of intermediate (boundary) classes, control, and information objects, respectively. Then the lifelines are defined corresponding to classes that exchange messages. Messages are defined by the conditions and limitations of their transmission and reception, and the actions that are performed (do action). When developing state diagrams, the S ={ } states and T = { } transitions between them are defined. Each state consists of a description of the attributes -val_var, as well as the actions performed: entry  at the entrance, do_inter  internal, exit  at the exit. The transitions include descriptions of the event initiating this transition  event, the pre-and post-implementation conditions  guard_cond and actions that must be performed before the actions of a new state  t_action). The constructed diagrams are added to the database. To obtain a consistent and bound set of CSHS technical project (architecture) diagrams, class diagrams (d_class) and requirements diagrams (d_regs) are refined by establishing relations with new activity, sequences and statechart diagrams that were developed or modified. Fig. 4 shows the diagram illustrating the relationships between class and activity diagrams. Each d_act i has a relationship with a specific class by describing the algorithm for implementing the corresponding class method.

Fig. 4. Relationships and dependencies between the main components of the technical project model: class and activity
To implement the architecture model verification procedure in the virtual machine environment, fUML sequence diagrams (d_seq) and statechart diagrams (d_sm) are transformed to activity diagrams (d_act), which are then described in the language ALF (Action Language for Foundational UML). 137  executesynchronously execute a behavior, given values for its input parameters and returning values for its output behaviors;  startasynchronously start the execution of a stand-alone or classifier behavior, returning a reference to the instance of the executing behavior or of the behaviored classifier. Each execution is performed on a specific VM (Locus), which is the abstraction of a physical or virtual computer capable of executing and verifying fUML models.

Fig.5. Scheme of executable fUML-model verification
The following basic requirements are imposed on the software architecture of CSHS:  completeness of the implementation of functional requirements defined in the interaction overview diagrams -d_io;  completeness and correctness of the implementation of non-functional requirements defined in requirements diagrams -d_reqs;  coherence and consistency of all model diagrams;  lack of redundancy. Testing the architecture model in the fUML virtual machine environment also makes it possible to detect defects that can lead to security and liveliness violations, the occurrence of deadlocks, impracticable operations, and loops. In addition, it is Samonov A.V. , Samonova G.N. Methodology and Tools for Development and Verification of formal fUML models of Requirements and Architecture for complex software and hardware systems. Trudy ISP RAN/Proc. ISP RAS, vol. 30, issue 5, 2018, pp. 123-146 138 advisable to use SAT/SMT solvers to verify the architecture model. The description of their application is presented in the next section of the article.

Methods for Constructing Test Scenarios to Verify Models of Requirements, Architecture and Implementation of CSHS using SAT/SMT solvers
The main stages of the process of constructing test scenarios to verify models of requirements, architecture, and implementation of CSHS are presented in Fig. 6: building a control flow graph (CFG); description of CFG in language ALF; generation of test scenarios (TSs) for verification of a set of requirements and technical project (architecture); generation of TSs for implementation verification; adding test scenarios to database (DB).

Fig.6. Generalized algorithm of test scenarios development for verification of requirement, architecture and implementation models
With the help of this algorithm, the requirements model and the architecture model can be verified. The original format for representing these models is .xmi. Based on these descriptions, the corresponding verifiable CFG model is built, in which both functional and non-functional requirements for the system being developed are taken into account. To represent non-functional requirements, Object Constraint Самонов А.В., Самонова Г.Н. Методика и средства разработки и верификации формальных FUML моделей требований и архитектуры сложных программно-технических систем. Труды ИСП РАН, том 30, вып. 5, 2018 г., стр. 123-146 139 Language (OCL) is used. A SMT/SAT solver checks CFG for defects and, if they are found, creates counterexamples. Using them, the developer determines the causes of defects and makes the necessary corrections to the analyzed artifact. To implement this approach, it is proposed to use the ALT-ERGO, CVC4 and Z3 solvers, integrated into the Frama-C framework [24] [25].

Fig. 7. Detailed algorithm of test scenarios development for verification models of requirement, architecture and implementation
Concluding the presentation of the developed models and algorithms, let us present a generalized scheme for the implementation of software-controlled process of development and verification of formal models of requirements and architecture of CSHS, which provides end-to-end quality control of all artifacts of the life cycle of CSHS (Fig. 8).

Conclusion
One of the most important directions of improving the development processes and achieving the required quality indicators of complex software and hardware systems is the creation and implementation in practice of their industrial development of model-based technologies for justifying requirements, design, and implementation followed by the procedures of their formal verification and semi-formal validation. Currently, the most problematic issues are related to the verification of requirements and the CSHS architecture. To solve these problems, it is proposed to implement the approach described in this article. The distinctive features of this approach are:  formation and use of a single model-language and information-software environment for the development and verification of formal models of requirements, architecture and software implementation based on the necessary and sufficient set of interrelated fUML diagrams and the model of internal and inter-model relations developed for them;  implementation of the software-controlled development process of CSHS in accordance with the developed algorithm that performs sequentialiterative operations of generating and transforming formal models of requirements and architecture presented in fUML, XMI, ALF, and that also performs their verification in the fUML virtual machine environment and SMT/SAT solvers. To implement the proposed approach, the following models, algorithms, and methods were developed:  algorithm of a formal description of the requirements for the developed system based on the initial informal representation;  fUML diagram models that are necessary and sufficient to develop complete, correct and consistent formal models of requirements and architecture;  models, algorithms and guidelines for the development of formal models requirements and the architecture in languages fUML, XMI and ALF;  verification algorithms for models of requirements and the architecture of CSHS in the environment of fUML virtual machine;  verification of the formal model of the architecture and program implementation through the analysis using the SAT/SMT solvers. Currently, work is underway to create a set of software tools to ensure the implementation of this approach. The development tools, libraries, and applications implemented in the Eclipse project (EMF, GMP, RCP, Papyrus, Moka, Titan) are used as a development environment and prototypes. The implementation of this software package in the relevant technological processes at companies will ensure the most complete accounting and correct implementation of requirements for functional and operational characteristics, environment and conditions for the use of CSHS. It will also significantly reduce the cost of finding and eliminating the most critical and resource-intensive defects made at the stages of the formation of requirements and design of their architecture. Аннотация. В статье представлены модели и алгоритмы обеспечения сквозного контроля качества сложных программно-технических систем (СПТС) посредством реализации программно-управляемого процесса разработки и верификации формальных моделей требований и архитектуры СПТС. Дан анализ научных публикаций и нормативно-методической базы в области разработки и применения на практике модельно-ориентированного подхода. Установлено, что наименее обеспеченными модельными, алгоритмическими и программными решениями являются вопросы, связанные с разработкой полного и корректного набора требований, а также с формализацией и верификацией технических проектов СПТС. Предложены способы решения существующих проблем посредством формирования единой модельно-языковой и информационно-программной среды разработки и верификации формальных моделей требований и архитектуры СПТС, построенных на основе оптимального набора взаимосвязанных fUML диаграмм, представленных в нотации языка ALF и верифицируемых в среде виртуальной машины fUML и с помощью SAT/SMT решателей.