TY - GEN
T1 - Verifying the interface compliance of federates using pre- and postconditions of RTI services
AU - Kizilay, Vijdan
AU - Oguztüzün, Halit
AU - Topçu, Okan
AU - Buzluca, Feza
PY - 2009
Y1 - 2009
N2 - The Federation Architecture Metamodel (FAMM) provides a domain specific language for describing the architecture of a High Level Architecture (HLA) compliant federation. A federation architecture model (FAM) consists of the object models and the behavioral models of participating federates. The communication behavior of each federate is to be modeled in the same level of detail as the HLA Federate Interface Specification so as to facilitate standard-compliant code generation. However, this level of detail increases the likelihood of the modelers making mistakes in following the standard. Thus, beyond well-formedness, static checking of the well-behavedness of federate behavioral models is desirable. If it can be shown that all the preconditions of the HLA Runtime Infrastructure (RTI) services used in a behavioral model are satisfiable then we have some assurance that the interface behavior can be compliant to the HLA Federate Interface Specification. In this paper, we present a model checking based procedure to verify the interface behavior of an HLA federate modeled in FAMM. Verification is performed automatically by the help of (1) a model interpreter that takes a FAM as input, and generates the PROMELA model of its behavioral part as output, (2) the SPIN model checker that performs model checking given the generated PROMELA process as input and then outputs the verification result in terms of the preconditions that will not hold at run-time.
AB - The Federation Architecture Metamodel (FAMM) provides a domain specific language for describing the architecture of a High Level Architecture (HLA) compliant federation. A federation architecture model (FAM) consists of the object models and the behavioral models of participating federates. The communication behavior of each federate is to be modeled in the same level of detail as the HLA Federate Interface Specification so as to facilitate standard-compliant code generation. However, this level of detail increases the likelihood of the modelers making mistakes in following the standard. Thus, beyond well-formedness, static checking of the well-behavedness of federate behavioral models is desirable. If it can be shown that all the preconditions of the HLA Runtime Infrastructure (RTI) services used in a behavioral model are satisfiable then we have some assurance that the interface behavior can be compliant to the HLA Federate Interface Specification. In this paper, we present a model checking based procedure to verify the interface behavior of an HLA federate modeled in FAMM. Verification is performed automatically by the help of (1) a model interpreter that takes a FAM as input, and generates the PROMELA model of its behavioral part as output, (2) the SPIN model checker that performs model checking given the generated PROMELA process as input and then outputs the verification result in terms of the preconditions that will not hold at run-time.
KW - Federation architecture metamodel (FAMM)
KW - HLA federate interface specification
KW - Model checking
UR - http://www.scopus.com/inward/record.url?scp=84865581577&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84865581577
SN - 9781615674015
T3 - Fall Simulation Interoperability Workshop 2009, 2009 Fall SIW
SP - 451
EP - 458
BT - Fall Simulation Interoperability Workshop 2009, 2009 Fall SIW
T2 - Fall Simulation Interoperability Workshop 2009, 2009 Fall SIW
Y2 - 21 September 2009 through 25 September 2009
ER -