Combining STATEMATE and FNLOG for the specification and the verification of complex real time systems

Size: px

Start display at page:

Download "Combining STATEMATE and FNLOG for the specification and the verification of complex real time systems"

Morgan Hardy
5 years ago
Views:

1 GESTS Int l Trans. Computer Science and Engr., Vol.20, No.1 65 Combining STATEMATE and FNLOG for the specification and the verification of complex real time systems Leila JEMNI BEN AYED 1 and Olfa MOSBAHI 2 1 Département des Sciences de l Informatique, Faculté des Sciences de Tunis, Campus Universitaire, 1060 le Belvédère Tunis Tunisia leila.jemni@fsegt.rnu.tn, 2 Département des Sciences de l Informatique, Faculté des Sciences de Tunis, Campus Universitaire, 1060 le Belvédère Tunis Tunisie olfa.mosbahi@fst.rnu.tn, Abstract. In this paper we explore the usefulness of a combination of semi formal and formal specification methods in specifying complex real time systems and verifying their properties. The proposed technique is based on the integration of the semi-formal method STATEMATE and the temporal logic FNLOG. STATEMATE is a semi formal method that pertains to the specification and design of complex reactive systems and builds simulations and proto-types rapidly. Though STATEMATE provides rigorous specifications, these are not verifiable to ensure and guarantee the reliability of the system being developed. To fulfill this objective, a STATEMATE specification is translated into a logic-based specification language FNLOG which allows its verification. This paper presents the various steps of our integration approach, describes the cross reference between STATEMATE and FNLOG features, and extends the axiomatics of the temporal logic FNLOG to deal with duration properties. 1 Introduction Critical real time systems are characterized by a complexity linked with their diverse ways to react to external events and require a high level of safety and reliability. To reduce this complexity and to reach a high required degree of reliability and safety, it would be quite interesting to lay out a specification approach which simplifies the requirement description, deals with mathematical notations inducing verification and validation, and allows the description of quantitative temporal properties. Several approaches were proposed to provide different methods and specification languages of complex real time systems. Most of these methods such as STATEMATE [8] and UML [2] use state-transition diagrams to describe complex system s behavior. They provide rigorous specifications which are not verifiable to ensure and guarantee the reliability of the system being developed. Because these methods are semi formal and unlike formal methods, they are not provided with proof system. Formal methods are based on mathematical notations and axiomatic which induces verification. So that, semi formal and formal methods have been combined to ensure semi formal specification s verification [3], [4], [14], [17]. The combination consists of

2 66 Combining Statemate and Fnlog for the Specification transforming semi formal specification to a formal one which is verifiable by the use of proof system. Hence, a semi formal specification could be verified. Several works were elaborated in this context such as the transformation from UML to B [14], State-charts to B abstract machine notation [16], State-charts to function logic based specification language called FNLOG [17], [18] which extends Statecharts language and provides a compositional proof system for Statecharts. Other works were developed to transform the semi formal method STATEMATE to a formal notations. More over, [5] provide a set of tools translating STATEMATE specifications into finite state machines required by the model checker in order to enable their verification. It is within this framework that we will present our contribution which attempts to develop a new technique transforming STATEMATE design to FNLOG specification in order to ensure formal verification. In our approach we consider not only behavioral aspect from statecharts as it is done in [17] but also functional aspect from activity charts and this is way we start with a STATEMATE model and not only with statechart one. FNLOG [18] which is a logical specification language, was introduced for the verification of State-charts specifying reactive system behavior and also to cover the system functional aspects and to express properties in application domain and not just in State-charts. To ensure the verification of State-charts by FNLOG, a semantic bridge [17], [18] is built between their components. The STATEMATE notation allows the specification of functional and behavioral aspects with Statecharts and activity charts. Thus, the compatibility between State-charts and FNLOG components is used and extended to STATEMATE features specifying the system functions in the translation schemes between STATEMATE and FNLOG. The proposed approach consists firstly on specifying the system with STATEMATE notation which provides clear and understandable specification and secondly on translating this specification to FNLOG notation to be verified. The proposed integration approach uses the notations of STATEMATE and FNLOG, defines various transformation rules of a STATEMATE specification towards FNLOG and extends FNLOG axiomatic to reason about duration properties. The paper is organized as follow: Section 2 presents an overview of STATEMATE. Section 3 introduces an abstract of FNLOG notation and Section 4 presents the proposed technique with some transformation rules from STATEMATE to FNLOG. 2 General view of STATEMATE STATEMATE is a graphic specification method for complex real-time reactive systems. In STATEMATE, the descriptions used to capture system specification are organized into three views, or projections,of the system: functional, behavioral and structural. The functional view describes the system s functions, processes and activities. The behavioral view describes the system s behavior over time. The structural one describes the subsystems, modules and the communication between them. Activity-charts. Activity-charts describes the system s functions, processes, or objects. This view also includes the inputs and outputs of the activities, that is, the

3 GESTS Int l Trans. Computer Science and Engr., Vol.20, No.1 67 data-flow from the external environment of the system as well as the information flowing among the internal activities. Statecharts. Statecharts describes the system s behavior over time, including the dynamics of activities, their control and timing behavior. It also provides answers to questions about causality, concurrency, and synchronization. In statecharts, conventional finite state machines (FMS) [7] are extended by AND/OR decomposition of states, inter-level transitions and an implicit inter-component broadcast communication. A statechart specification can be viewed as a tree of states, where the basic states correspond to the conventional notion of states in FSM s. All other states are related by the superstate-substate property. The superstate at the top level is the specification itself. This relation imposes a natural concept of depth as a refinement of states. There are three types of states: AND, OR, and BASIC states. In Fig.1, for instance, S1 is an AND state, S0, S2, S5 are OR states, and S3, S4, S8 are BASIC states. States obey a hierarchical order. For instance, S2 and S5 are substates of state S1. Substates of an AND state are called parallel states. An OR state consists of a number of substates and being in the OR-state means being in exactly one of its substates. An AND-state too comprises substates and being in an AND-state implies being in all its substates simultaneously. S0 t0 S1 S8 E1 / E2 ; fs!(c1) t1 S2 t3 t2 S3 E2 S5 t5 S6 t4 E3 S4 S7 Fig. 1. Example for AND, OR and Basic states Transitions. Transitions are specified by edges originating at one (or more) state(s) and terminating at one (or more) state(s). A special default transition, which has no originality state, is specified in every superstate; this transition specifies the substate that is entered by default when the superstate is entered. Transitions may be labelled. Labels are of the form : Event-part [condition-part] / Action-part. Each component of the label is optional. The event-part is a boolean combination of atomic events, and it must evaluate to true before the transition can trigger. Additionally, the conditionpart, which is again a boolean combination of conditions on the events, must be true for the transition to take place. The action-part is a boolean combination of events which will be generated as a result of taking the transition. States are entered and exited either explicity by taking a transition, or implicitly because some other states are entered/exited. In Fig.1, t0 is the default entry state of state S0. Similarly, t2 and t4 are the default entry states in S3 and S6 respectively. Orthogonality. The substates of an AND-state, separated by dashed lines in the diagram, are said to be orthogonal. No transitions are allowed between the substates

4 68 Combining Statemate and Fnlog for the Specification of an AND-state, which explains why they are said to be orthogonal. Since entering an AND-state means entering every orthogonal compoment of the state, orthogonality captures concurrency. Events and Broadcasting. Atomic events are those generated by the environment or thoses generated within the system itself. Events act as signals to the system. Every occurrence of any event is assumed to be broadcast throughout the system instantaneously. Entering enter(s) and exiting exit(s) a state S as well as a timeout, defined by the event tm(e, n), which stands for n time units elapsing since the occurence of event e, are considered to be events. Broadcasting implies the events generated in one component are broadcast throughout the system, possibly triggering new transitions in other components, in general giving rise to a whole chain of transitions. By the synchrony hypothesis, explained below, the entire chain of transitions takes place simultaneousely in one time step. In Fig.1, the system can be in states S0 and S8 simultaneously. Synchronization and Real-time. Statecharts incorporates Berry s [1] strong synchrony hypothesis : an execution machine for a system is infinitely fast and control takes no time. This hypothesis facilitates the specification task by abstracting from internal reaction time. Real-time is incorporated in statecharts by having an implicit clock, allowing transitions to be triggered by timeouts relative to this clock and by requiring that if a transition can be taken, then it must be taken immediately. As presented already, by the synchrony hypothesis, the maximal chain of transitions in one time step takes place simultaneously. The events, conditions and actions are inductively defined, details appear in [9], [10] intuitively, there is a set of primitives events which may be composed using logical operators to obtain more complex events. MODULE-CHARTS. Module-charts are used to describe the modules that constitute the structural view and the implementation of the system, its division into hardware and software blocks and their inner components, and the communication between them. 3 General view of FNLOG FNLOG is a logic-based functional specification lan-guage, based on first-order predicate logic with arithmetic, extended by quantified temporal operators. Component behaviors of a real-time reactive system are specified in FNLOG by means of function relationships. FNLOG is also compositional so there is a semantic equivalence between statecharts and FNLOG structures. Events and Activities. A specification in FNLOG is built from events and activities occurring over time, connected by logical and temporal operators. Hence, an event is an instantaneous occurrence of a signal. An activity is defined as a durative happening with a beginning instant, an end instant, and a finite duration between the two instants. The status of all events and activities, which together specify the system, defines the system state at a given instant. At any time t, an event holds or does not hold, an activity is initiated, terminated, or still alive. In general, an event or activity is instantiated at a given time t, if the event holds or the activity is initiated at this time. Every event e and activity A is superscripted by a number i, written as e i and A i

5 GESTS Int l Trans. Computer Science and Engr., Vol.20, No.1 69, which indicates that it is the occurrence of the event or activity in the current system instantiation. This notation allows the specification of repeated events and activities over time. With every activity A i, is associated two special events: initiate-a i (init-a i ) and terminate-a i (term- A i ). Thus, any activity A i is defined by : A i initiate- A i ;durative component ; terminate-a i Logical Operators. The logical operators,,,, are included in FNLOG to facilitate composition of activities and events into higher level events as well as to enable logical assertions in the language. Temporal Operators. In FNLOG, the past-time temporal logic operators, which are described below, are used to capture relative and absolute time properties as well as the causal relationships over time. The past temporal logic operators are t (true at instant t), t (true at all instants before t), t (true at instant t-1) and t (true at some instant before t). Temporal operators can be applied to both events and activities. For an event e i, t (e i ) is true at the time t when e i occurs. For an activity A i, t (A i ) is true at time t if A i is either initiated at t or previously initiated and not yet terminated at t. As implied above, the concept of time is that of an infinite sequence of descrete time instants. A duration or interval is thus defined by its initiating and terminating instants. The existential and universal quantifiers are allowed to range over the time variable t in the logic-based function specification language. The quantified temporal operators are described below : t-k ( e i ) : e i true k instants before time t, t k t-k ( t e i ) : e i true at some instant in the interval [t-k, t], t k t-k ( t e i ) : e i true at all instants in the interval [t-k, t], t k Composition of events and activities. Higher level events and activities, which are of greater complexity than the primitive ones, are composed of logical and temporal predicates which directly or indirectly use the primitive events and activities. Thus, a hierarchy of events and activities may be built. 4 General view of the proposed specification and verification approach In this section, we present the proposed specification approach. We will begin first by presenting various steps then, we present the transformation rules and the proposed axims extending FNLOG axiomatic. The proposed integration method [14] comprises mainly five great steps (Fig.2.) presented in the following : STEP 1. Requirement Description. This step consists on the description of system requirements using FNLOG notation [17].They are liveness and safety properties specified at first by the system user as well as the experts.

6 70 Combining Statemate and Fnlog for the Specification Schedule of conditions Step 1 1- Specification in FNLOG of the property P required by the system Step Context Diagram Contrôl activities 2.2- Decomposition ( activity-charts) Not basic Activities Basic activities Data Dictionary Specification with statecharts Dynamic Model dynamique Step 3 3- Transformation from STATEMATE to FNLOG Transformed Statecharts Transformed Activity-charts Transformed Data Step 4 Step 5 4- Composition in FNLOG A global specification G in FNLOG 5- Verification of required properties P from the global specification G (G Fig. 2. The specification and verification approach using STEMATE and FNLOG STEP 2. Specification with STATEMATE. The second step is a model construction. It consists on the description of system using STATEMATE. This method reduces system complexity which is broken up into a hierarchy of activities, control and primitives activities, with statecharts and activity-charts; with this refinement, new specific properties are added at a given level to the already drawn up list. Here, three sub steps are proposed: Development of the context diagram. We start with functional specification using activity-charts. We generate the context diagram which consists on the main activity, some external processes and flows of information relating system to its environment.

7 GESTS Int l Trans. Computer Science and Engr., Vol.20, No.1 71 Decomposition of the system with activity-charts. We break up the context diagram into a series of activities and date-store as well as control activity. For each activity, the refinement process is repeated until an acceptable level of detail is atteimpt. We then obtain a hierarchy of activities thus comprising a whole of not basic activities (activities requiring other decompositions), a whole of basic activities (activities not requiring other decompositions) and a whole of control activities (activities describing the behavior of their main activity). Specification with statecharts. The control activities are associated with statecharts which describe the behavior of their main activity. The statecharts obtained forms the dynamic model. Textual information on the statecharts (states, events, actions, conditions etc.) are arranged in the data dictionary. Thus, during the decomposition process and elaboration of Statecharts, all data and events are saved in a data dictionary. Step 3. Transformation of STATEMATE primitives to FNLOG. There is a compatibility and equivalent semantics between a statecharts and FNLOG specification [10]. They use the same primitives which are events and activities. Furthermore, we find in FNLOG as well as in statecharts an hierarchical composition of events and activities [8]. Also, one of the characteristics of statecharts is historisation and recovery; FNLOG also, is a past temporal logic then it is appropriate to the specification of system s behavior depending on history. Based on this compatibility we have proposed some transformations rules from Statecharts and Activity-charts specifications to logical formulae in FNLOG. Some of these transformation rules are presented in the following. At first we begin by presenting some compatibility aspects. - Transformation of Statechart in to FNLOG. The translation of a Statechart specification to an FNLOG specification consists on transforming states and transitions from the various levels of structure into FNLOG formulas and is based on primitive s transformations and composition s transformations given in Table 1. Table 1. Transformation of statechart s primitives to FNLOG Statecharts FNLOG State Activity Action, Event Event Input event in a state : en(state) n (en(s)) n (init-s) Output event in a state : ex(state) n (ex(s)) n (term-s) Duration of activity Duration of activity Basic states Functions FNLOG OR of two states Disjunction of 2 specifications FNLOG AND of two states Conjunction of 2 specifications FNLOG Transition labeled : E i [C i ]/A i n (Fire(Ei[Ci]/Ai)) = n (Ei) n (Ci) n (Ai) To illustrate the transformations of statechart to FNLOG, we consider the example given in Fig.3. When a system is in state S, it is simultaneously in two substates, E and G. In state E, it can be in the state A, or in the state B; and when it is in the state G, it can be also either in C, or in D. Here, is the specification of the system in Statecharts, then its transformation in FNLOG.

8 72 Combining Statemate and Fnlog for the Specification S E A G C A, B, C and D : basic states E and G : OR-states B D S : AND-state Fig. 3. Composition of basic states using AND and OR operators The transformation in FNLOG notation gives : t (S) t (E) t (G) (conjunction of two FNLOG formulae) t (E) t (A) t (B) (disjunction of two FNLOG formulae) t (G) t (C) t (D) (disjunction of two FNLOG formulae) Transformation of a cycle encapsulating states. Other transformations are intended to specify state duration. Let us consider the example given in Fig. 4. in which E is a state encapsulating two under states A and B. In the input of the state E, the variable D takes value 0. In the encapsulated substates, D is incremented with each clock tick. The exit from the state E occurs when D = K or when the event e occurs. We can then deduce that the duration of this cycle does not exceed K time units. E With X : duration passed in state A. Y : duration passed in state B. X, Y < k. The transformation of the cycle gives : / D: = 0 / D := D+1 A / D := D+1 B [ D = k] C X Y e t-k (init-e) t t-k (e) t (term-e) F Fig.4. Transformation of a cycle encapsulating states Transformation of time expressions. Two classes of time expressions are found in statechart the event timeout and the action scheduled [7]. - Timeout (E,T), abbreviated in tm (E,T), where E is an event and T an integer; defines a new event generated T time units after the last occurrence of the event E. - Schedule (G, T), abbreviated in Sc!(G, T), where G is an action and T an integer; defines the execution of G, T time units after the execution of the primitive Sc. So, if at one time T the system is in state A, then after T time units there will be execution of the action G. The transformation of these expressions is given in Fig. 6.

9 GESTS Int l Trans. Computer Science and Engr., Vol.20, No.1 73 Table 2. Transformation of time expressions into FNLOG Statecharts FNLOG A Tm (en (A), x) B t-x (init-a) t (init-b) A Sc! ( G, x) B t-x (init-a) t (G) - Transformation of the activity-charts into FNLOG. The activity-charts complete the descriptions given by Statecharts by adding the description of data flow. An activity is defined with a begining instant, an end instant, and a finite duration between them. In FNLOG also, an activity is characterised by two events, the event init-activity, the event term-activity and a duration between the two events. The transformation of the activity-chart elements associates to Events and activities their correspondent Events and activities, to Data is associated a natural expression and to condition is associated Boolean expression. Transformation of the relation between statecharts and activity-charts. Statecharts and Activity-charts are closely dependent. A statechart is associated with each activity. It describes the decomposition of an activity into sub activities, i.e. it describes the behavior of an activity by defining the instants when each subactivity must be started, stopped, suspended or resumed respectively by the events started (..), stopped (..), suspend (..) and resume (..). In the second direction and by sending an event, an activity causes states s transitions. Thus, relations between statecharts and activity-charts are transformed by the need of exchanged events. Correspondent FNLOG formulae are given in the following table: Table 3. Transformation of events relating activity-charts to statecharts STATEMATE FNLOG St!(A) : the activity A is started n (st!(a)) n (init-a) Sd!(A) : the activity A is suspended n (sd!(a)) n (term-a) Sp!(A) : the activity A is stopped n (sp!(a) n (term-a) Rs!(A) : the activity A is restarted n (rs!(a) n (init-a) tr!(c) : the condition C becomes true n (tr!(c) n (C = true) Fs!(C) : the condition C becomes false n (fs!(c) n (C = false) In the example given in Fig. 5., the statechart AB_control controls the activities A and B. It indicates the time when each activity must be started(st!(a)), suspended(sd!(a)), resumed(rs!((b)) or stopped(sp(b)). In the other way, the activity A causes by the event E a transition from the state AC_A to the state AC_C. The correspondent FNLOG formula for the transition /st!(a) is : n (sp!(a) n (term-a)

10 74 Combining Statemate and Fnlog for the A B /st!(a) E/sd!(A); st!(b) (B) /rs! (A) AC_A Sp!(B) / rs! (A) AC_B Fig. 5. Example of relation between the Statechart AB_control and the Activity-chart A Step 4. Composition in FNLOG. The fourth step is a composition of FNLOG formulae associated to basic and non basic activities obtained in the step 3. It is the conjunction of FNLOG formulae found at each level of the decomposition obtained at the steps 2 and 3. For each activity, we directly define the data and the sub activities in data and operations (or functions) in FNLOG and then we associate each of the statecharts to the corresponding controlled activity. In this step, we compose the activities and the events specified in FNLOG. This composition is based on the causality relation between them. We note that this step is used only if the system is complex and is refined on several levels. Step 5. Verification. The fifth step is a verification step. It consists on proving that the behavior specification found in the fourth step implies the system s requirements specified in the first step. These requirements are in general safety or liveness properties depending on time consideration such as periodicity, time out, [8], [14]. The temporal logic FNLOG refers to point time structure defining a precedence relation and a metric over a set of points. However a problem holds in the verification of such duration properties with the existing axiomatic. To simplify such verification, we extend the FNLOG axiomatic [18] with two axioms presented below : Duration over state sequence. The duration of an interval associated to a state sequence is the total length of the sub-intervals associated to each state. Fig. 6. Duration over a state sequence We consider in Fig. 6. three consecutive states A, B and C. A is followed by B and B is followed by C. A lasts x time units and B lasts y time units. The duration from the begenning of A to the begenning of C is x+y. Axiom1. ( t x (init-a) t (init-b) t y (init-b) t (term-b)) t (x + y) (init-a) t (term-b) Reachability / Accessibility. If a property φ holds in an interval [ t-k, t ] with t>k, then it holds also in the interval [ t-j,t]with j k. Axiom2. t t- k (φ) t t- j (φ) j k Tm (en(a), x) Tm (en(b), y) A B C

11 GESTS Int l Trans. Computer Science and Engr., Vol.20, No Conclusion In this paper, a new technique for the specification and the verification of complex real-time systems integrating STATEMATE and FNLOG has been proposed. A STATEMATE specification is translated into FNLOG notation, the specification becomes verifiable by using FNLOG axiomatic. The most distinctive characteristic of our approach is the simple way of specifying and verifying real-time system s dealing with functional and behavioral aspects. The proposed approach consists firstly on specifying the system with STATEMATE notation which provides clear and understandable specification (starting by a decompositionl specification with activitycharts then a behavioral specification with statecharts), describing required properties with FNLOG, and secondly on translating this specification to FNLOG notation, by a recomposition, to be verified then on verifying that the behavior specification implies the requirements using the proof sytem of FNLOG. To reason about duration, we have extended FNLOG axiomatic and introduced two axioms one for duration over state sequence and other for accessibility of a state over an interval. The axiomatization of our technique requests also a long term efforts and this paper represents a tentative attempts in this direction. In this paper we have presented correspondance rules between state-charts, activity-charts and FNLOG without formalizing them and we did not treat decomposition of activities in STATEMATE then only first level of the abstraction is transformed. In further works, we will propose an automatic derivation schemes from STATEMATE to FNLOG, define transformation process of STATEMATE notations (State-charts, Activity-charts,.) and an algorithm translating STATEMATE model to FNLOG specifications.. References [1] G. Berry & L. Coresserat, "the ESTEREL sychronous programming language and its mathematical semantics," Seminar on Concurrency. Lecture Note in Computer Science (LNCS), Vol 197, Springer Verlag, pp , [2] G. Booch, J. Rumbaugh & I. Jacobson, The Unified Modelling LanguageUser Guide. Addison Wesley, [3] R.Bossow & W.Grieskamp, "A Modular Framework for the Integration of Heterogenous Notations and Tools," 1st Intl. Conference on integrated Formal Methods-IFM00. Springer-Verlag, [4] R.Bossow, W.Grieskamp, W.Heicking & S.Herrmann, "An Open Enviroment for the Integration of Heterogeneous Modelling Techniques and Tools, " Intl. Workshop on Current Trends in Applied Formal Methods, LNCS, Vol 1641, Springer-Verlag, Berlin, [5] U.Brockmeyer & G.Wittich, Real-Time Verification of STATEMATE Designs, OffI, Olden-burg, Germany. [6] H. Fekih, L. Jemni & S. Merz, "Transformation des spécifications B en des diagrammes UML, AFADL : Approches Formelles dans l Assistance au développement de logiciels, pp , Besançon, France, July [7] J.Fitzgerald & P.G.Larsen, Modelling Systems, Practical Tools and Techniques in Software Development, Cambridge University Press, 1997.

12 76 Combining Statemate and Fnlog for the Specification [8] D. Harel, STATEMATE : the Languages of Statemate, Technical Report, USA, [9] D. Harel & M. Politi. Modeling reactive systems with Statecharts: The tatemate approach, i-logix Inc, Three Riverside Drive, Andover, MA 01810, Part No. D , 6/96. 18, USA, 1997 [10] D.Harel, A.Pnueli, J.P.Schmidt & R.Sherman, "on the formal Semantics of Statecharts," 2 nd IEEE. Symposium on Logic in Computer Science, Ithaca, NY, USA, pp , [11] J. Hooman, S.Ramesh, & W.P. De Roever, "A Compositional Semantics for Statecharts, " Formal Models of Concurrency, Novosibirsk, USSR, [12] J. Hooman, S. Ramesh and W. P. De Roever, "A compositional axiomatization of safety and liveness properties of statecharts," Int. BCS-FACS Workshop on Semantics for Concurency Univ. Of Leicester, UK, [13] H. Ledang and J. Souquieres. Contributions for Modelling UML State-Charts in B. In M. BUTLER, L. PETRE, et K. SERE, réds., 3rd International Conference on Integrated Formal Methods (IFM 02), volume 2335 of Lecture Notes in Computer Science, pages , Finland, Springer Verlag. [14] F.Jahanian & A.K.-L.Mok, "Safety analysis of timing properties in Real-time systems, " IEEE Trans. On soft. Eng., Vol. 12, N0 9, pp , [15] O. MOSBAHI, L. JEMNI, S. BEN AHMED & J. JARRAY, "A specification and validation technique based on STATEMATE an FNLOG", Formal Method and Software Engineering, 4 th International Conference on Formal methods and softzare engineering, ICFEM, LNCS, Vol 2495, Chine, October [16] E. Sekerinski & R.Zurob, "Translating State-charts to B, " 3rd International Conference on Integrated Formal Methods (IFM 02), LNCS, Vol 2335, pp , Finland, [17] A. Sowmya & S.Ramesh, "Extending State-charts with Temporal logic, " IEEE Trans. on Soft. Eng, Vol 24, NO. 3, [18] A.Sowmya & S.Ramesh, "A Semantics-Preserving Transformation of statecharts to FNLOG", 14 th. IFAC Workshop Distributed Computer Control systems, Seoul, Korea, 1997.

Embedded Systems 2. REVIEW: Actor models. A system is a function that accepts an input signal and yields an output signal.

Embedded Systems 2. REVIEW: Actor models. A system is a function that accepts an input signal and yields an output signal. Embedded Systems 2 REVIEW: Actor models A system is a function that accepts an input signal and yields an output signal. The domain and range of the system function are sets of signals, which themselves