# Model Execution and Debugging A Process to Leverage Existing Tools

Faiez Zalila<sup>1,3</sup>, Eric Jenn<sup>1,\*</sup> and Marc Pantel<sup>2</sup>

<sup>1</sup>IRT Antoine de Saint Exupéry, Toulouse, France <sup>2</sup>IRIT, Université de Toulouse, Toulouse, France <sup>3</sup>LAAS-CNRS, Université de Toulouse, CNRS, Toulouse, France

Keywords: Modeling, Formal Verification, Model-checking, Debugging, Simulation, Model Execution, IDE.

Abstract: Model checking is an effective technique for the verification of critical systems. However, it relies on behavioral models which are costly to write and maintain. Thus, those models shall be validated and debugged thoroughly, and simulation, i.e. model execution, can be used for that purpose. To reduce the development costs of simulators and ensure their behavioral consistency with model verifiers, we advocate the reuse of parts of the model verification tool-chain to implement them. To support this claim, this paper proposes a method illustrated with a realistic case study applied to FIACRE behavioral models. The approach relies on the creation and exploitation of relations between models representing the information required by the user on the one hand, and information produced by the tools, on the other hand.

## **1 INTRODUCTION**

#### 1.1 Problem Statement

Early validation and verification (V&V) activities reduce development costs, as specification and design errors can be detected and fixed as soon as possible in the development process. In that purpose, these activities are performed on various system models (requirements, architecture, design, function, etc.) expressed using various Domain Specific Modeling Languages (DSMLs).

Whenever complex behavioral properties are at stake, model-checking is an efficient approach to prove the absence of errors on those models. However, to overcome scalability issues, it is usually mandatory to create multiple models, at various abstraction levels, covering several kind of properties.

Animating those models is one of the best means to remove trivial modeling bugs, to ensure that the models indeed express the designers intents, and eventually to reduce the overall cost of verification (Bourdil et al., 2016b).

These models are defined using high-level languages that offer abstracts constructs. To be verified or validated, those models are usually trans-

\*Seconded from Thales Avionics, Toulouse, France.

formed into lower level models conforming to the more concrete formalisms used by model-checkers and/or simulators (Visser et al., 2012). Then, to be exploited, the runtime results produced by these tools must be re-interpreted in terms of the initial abstract language. Obviously, such round-trip between abstract and concrete models could be avoided by developing V&V means directly applicable on abstract languages. However, we advocate the round-trip strategy for two main reasons:

- 1. developing a new model checker or simulator and ensuring the semantics consistency of those tools is a very complex and costly task, and
- 2. there already exists a plethora of efficient modelcheckers and/or simulators.

Unfortunately, the necessary re-interpretation phase is not trivial as information is lost during the successive transformations to verification languages. In this paper, we propose an approach to ease the implementation of the round-trip strategy based on the analysis of annotated metamodels.

### **1.2 Our Contribution**

Our approach combines and leverages existing low-level verification, validation, and transformation

In Proceedings of the 5th International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2017), pages 401-408 ISBN: 978-989-758-210-3

Zalila F., Jenn E. and Pantel M.

Model Execution and Debugging - A Process to Leverage Existing Tools DOI: 10.5220/0006143104010408

Copyright © 2017 by SCITEPRESS - Science and Technology Publications, Lda. All rights reserved

means to provide the end-user with appropriate debugging information. It relies on the construction of relations between the data produced by the various tools, and the user requirements for the model simulator.

We illustrate this approach on the development of a model simulator for the FIACRE language (Berthomieu et al., 2008) using the existing model checking toolbox **TINA** (Berthomieu et al., 2004).

This paper is structured as follows. Section 2 presents the context of the study and the use-case. It gives an overview of the user requirements for the model simulator. Section 3 proposes and discusses different design methods to develop the simulator. Section 4 presents some related works in the domain of simulators design. Section 5 concludes the paper.

## 2 THE CONTEXT AND THE CASE-STUDY

The work presented in this paper is carried out in the framework of the INGEQUIP project at the "Institut de Recherche Technologique Saint-Exupéry" at Toulouse, France. This project experiments and assesses innovative engineering methods and tools in the domain of hardware/software co-design, virtual integration and formal verification in the automotive, space, and aeronautics domains.

The project demonstrator is a small three-wheeled robot which architecture is representative of a significant family of real systems. It is composed of a mission subsystem in charge of the computation of the rover mission, trajectory tracking, etc. and a power subsystem in charge of the management of the powertrain. The two subsystems are interconnected by a unique CAN bus.

To comply with the availability and safety requirements, the mission subsystem is broken down into two channels (left/right) with two units per channel (COM/MON). A clock synchronization (CS) protocol (Rodrigues et al., 1998) synchronizes all units.

This CS protocol model represents around 700 lines of FIACRE code, a high level verification language used by several model checking tools. The model covers both the units to be synchronized and the communication network (CAN). Verification is performed using the **TINA** tool-chain. Even though directly inspired from (Rodrigues et al., 1998), building the model of the CS protocol required a significant design and debugging effort due to the various abstractions and simplifications that were required to obtain a tractable model (Bourdil et al., 2016a). In the rest of the document, we will take small excerpts

process Can (&pain, &pouts, &pkGM:MulPkts, &fp:nbFP, &fn:FN) is states rcv, txtime, tx, model\_error var m:Msg, i:0..NB\_NODES:=0, fo:nbFO := 0, omissions:Omissions := init\_omissions(), omission:bool := false from rcv wait[0,0]; m := highestRankMsg(pktsIn); on not (m.mtype=Empty); to txtime from txtime wait [0.00005, 0.00005]; i := 0; to tx from tx wait [0,0]; select on i < NB\_NODES;</pre> if not failedNodes[\$i] then pktsGammaMin[\$i] := enqueue(pktsGammaMin[\$i],m) end; i := i + 1; loop [] on i < NB\_NODES and fo < FO and not fn[\$i]; omissions[\$i] := omissions[\$i] + 1; fo := fo + 1;m.omissions := m.omissions + 1; omission := true; if omissions[\$i] = FO then fp := fp + 1; fn[\$i] := true; pkin[\$i] := {||}; pkout[\$i] := {||}; pkGM[\$i] := {||} end; i := i + 1; 100p [...]

Listing 1: FIACRE model of the CAN controller (extract).

of this model to illustrate specific issues encountered during the design of the model simulator.

#### 2.1 The FIACRE Modeling Language

FIACRE is the French acronym for Intermediate Format for Embedded Distributed Component Architectures. It was initially designed as the target language for model transformations from different DSMLs such as SDL (Rangra and Gaudin, 2014), AADL (Berthomieu et al., 2010; Bodeveix et al., 2015) or LADDER (Farines et al., 2011). FIACRE is used to describe the behavioral and timing aspects of concurrent systems for formal verification and simulation purposes. It is built around two mains constructs:

- **Processes** used to model sequential behaviors out of **states** and **transitions**. A transition is associated with deterministic statements (assignments, conditionals, loops, and sequential compositions), non-deterministic choices, non-deterministic assignments and communication statements.
- Component modeling the hierarchical composition of processes.

Besides these two main constructs, FIACRE also supports the expression of properties involving FIACRE's observable elements (states, variables, etc.). The property language includes LTL properties, Dwyer et al. patterns and their timed extensions (Abid et al., 2014).

Listing 1 shows a sample of the FIACRE code for the clock synchronization model<sup>1</sup>. The elements used later are in **bold** characters.

#### 2.2 The TINA Verification Toolbox

Verifications are performed by the **TINA** toolbox, a set of tools used to edit and analyze Timed Transition System (TTS), an extension of Time Petri Nets (TPN) with data manipulation. The following toolbox components are considered in this paper:

- TINA constructs reachability graphs and Kripke transitions systems from TTS and TPN
- PLAY animates TTS and TPN.

To be processed by **TINA**, a FIACRE model must be translated to TTS using the dedicated tool **FRAC**<sup>2</sup>. Due to the semantic gap between the two languages, some information present in the FIACRE input may be absent from the TTS output. Fortunately, **FRAC** generates traceability data that can be exploited to compensate this loss. Now, let us consider the designers needs in terms of debugging features.

# 2.3 Requirements for the FIACRE Simulator

As stated before, even though verification is highly automated thanks to model checking techniques,

<sup>2</sup>http://projects.laas.fr/fiacre

building the model remains a manual activity. The model developers require means to assess that the model indeed expresses their intention and eliminate modeling errors before starting the formal verification phase (which might be quite costly). Moreover, after the model checking phase, they also need means to interpret the counter-examples that may be produced by the model-checker.

To some extent, debugging models is similar to debugging programs: users need capabilities to observe the sequences of states during the model execution, step through these sequences, stop the execution when some condition occurs, etc.

```
date: 0
state 5: Can_1_srcv, Can_1_vstates=0,
Can_1_vm={mtype=Adjust,
          nid=-1,
          omissions=0,
          round=0, sid=-1},
Can_1_vi=0, Can_1_vfo=0,
Can_1_vomissions=[0,0,0],
Can_1_vomission=false
enabled:
 Can_1_t0 [0,0]
 StartRound_1_t4 [0,w[
 . .
firable: Can_1_t0
         StartRound_1_t4
? # 0
do firing: Can_1_t0
date: 0
state 6: Can_1_stxtime, Can_1_vstates=1,
Can_1_vm={mtype=Start,
          nid=0,
          omissions=0,
          round=-1,
          sid=0},
Can_1_vi=0, Can_1_vfo=0,
Can_1_vomissions = [0, 0, 0],
Can_1_vomission=false
enabled:
 Can_1_t1 [50,50]
 StartRound_1_t4 [0,w[
 . . .
firable: StartRound_1_t4
         StartRound_2_t0
         . . .
```

Listing 2: Excerpt of a TTS execution trace produced by the TTS simulator (**PLAY**).

More precisely, it relates to debugging a multithreaded software since the execution of a FIACRE model is the composition of multiple processes executed concurrently. However, some differences are worth mentioning:

<sup>&</sup>lt;sup>1</sup>The complete FIACRE model is accessible at http://projects.laas.fr/fiacre/examples/2016-twirtee/twirtee/ claims/c1.fcr



Figure 1: Informal debugging metamodel.



- 1. the user has a full control of time,
- 2. some transitions within processes may be selected non-deterministically (select clauses),
- 3. some state transitions may occur synchronously between processes, etc.

While we concentrate on the particular example of FIACRE in this paper, this is representative of structures and problems found with many other specification languages like mCRL2 language (Cranen et al., 2013) and AltaRica (Prosvirnova et al., 2013).

From now on, we focus on a few key requirements for such an execution/debugging environment and see how we managed to implement them with a minimal development effort.

Let FS be the FIACRE Simulator under design.

- **REQ-1:** The FS shall refer to modeling elements using user-level designation. For instance, it shall present values according to the representation used in the FIACRE source model. This applies in particular to data types like structs, unions, etc.
- **REQ-2:** When applicable, the FS shall display the locations of modeling elements in the source model. Reciprocally, the FS shall provide the user with the capability to select or designate an element directly on the source model.
- **REQ-3:** The FS shall visualize the evolution of FI-ACRE variables and states along time.

The previous list of requirements is (partially) modeled on Figure 1: a debugging session is a sequence of debugging steps, each step being a triple (observation, analysis, action) corresponding to the usual scenario where: (1) the system is executed, (2) some observations are obtained from this execution, and (3) those observations determine the next step of execution.

Of course, part of the triple may be ignored for any execution step: observations may be ignored during some specific phases (e.g., case of initialization), actions may be automated (e.g., random selection of transitions), etc.

In the rest of the document, focus is placed on the Observation part (in blue on Figure 1). It is expanded in Figure 2 where it is linked to the data provided by the other available models.

## **3 DESIGN SOLUTIONS**

Figure 2 shows the FIACRE and TTS technical domains involved in the implementation. The execution information at the FIACRE level is obtained by the analysis of the TTS simulation model. Listing 2 shows a sample of the TTS simulation model corresponding to the CAN FIACRE process introduced earlier. Figure 3 shows the three solutions that are presented and analyzed hereafter.

# 3.1 Solution 1: Use the TTS Simulation Model

The first solution (the blue part at the top of Figure 3) exploits two sources of information: the TTS description that represents the structure of a TTS model, and the TTS simulation model (label 1 in Figure 3).

From these two sources, information about the execution of the FIACRE model is obtained by a sequence of three phases: extraction, identification, and construction.

**Extraction** consists in analyzing the textual output of the **PLAY** tool to produce the TTS simulation model. This phase is implemented using Xtext<sup>3</sup>.

**Identification** associates the TTS description elements with the FIACRE model elements. To do that, some knowledge is required about: (1) how the TTS desription is built from the FIACRE model, and (2) how the FIACRE model elements are encoded is the TTS description.

For example, state "txtime" of the first instance of the CAN process declaration in FIACRE is encoded

<sup>&</sup>lt;sup>3</sup>https://www.eclipse.org/Xtext/



Figure 3: Implementation solutions.

as TTS place "Can\_1\_stxtime" (the "s" in the id means that corresponds to a FIACRE state declaration). Using this naming convention, one is able to retrieve source elements from the FIACRE model.

```
Trans::Can_1_t0 & Main
from Can_1_srcv
on ({Can_1_vm :=
      highestRankMsg (Main_1_vpktsOut);
not((Can_1_vm.mtype = Empty))});
 Can 1 vm :=
      highestRankMsg (Main_1_vpktsOut);
 Can_1_vstates := 1;
to Can_1_stxtime
in [0,0]
Trans::Can_1_t1 & Main
from Can_1_stxtime
on true:
Can_1_vi := 0;
Can_1_vstates := 2;
to Can 1 stx
in [50,50]
```

Listing 3: Excerpt of the initial compilation trace model.

Finally, **Construction** produces the simulation information at FIACRE level by instantiating the appropriate elements of the FIACRE simulation metamodel using the Identified Simulation Model (label **1a** in Figure 3). Unfortunately, this first solution only complies with user requirement REQ-3 due to missing data in the TTS description and TTS Simulation model. This lack is caused by the multiple optimizations performed during the compilation phase by the **FRAC** compiler. So, let us consider the second solution.

#### 3.2 Solution 2: Use Traceability Data

Solution 2 (in red in Figure 3) extends solution 1 by combining the TTS simulation model (see Listing 2) with initial compilation trace model generated by **FRAC** (-G option) (label **2** in Figure 3).

Historically, this information was used for debugging purposes during the development of **FRAC**. Later, it was also used to feed verification results from the TTS level back to FIACRE (Zalila et al., 2012; Zalila et al., 2013). It is produced during the last step of the translation phase, before the generation of the TTS description. It contains TPN and data processing constructs (guards, assignments, etc.).

Listing 3 shows a subset of a compilation trace model related to the CAN process shown in Listing1. It contains two TTS transitions: Can\_1\_t0 and Can\_1\_t1. In order to locate these transitions in the FIACRE source model using the initial compilation trace model, it is necessary to understand how the **FRAC** compiler generates TTS identifiers from FI-ACRE-level identifiers.

Once this relation is established, the transitions

are immediately located in the source code. For example, transition "Can\_1\_t0", which identifiers ends with "t0", corresponds to the first transition on the first instance of a CAN process (see lines 9-13 in Listing 1). Similarly, transition "Can\_1\_t1" corresponds to the transition located at lines 14-16 in Listing 1.

Syntactic and semantic analysis are required to identify the corresponding TTS model elements. Syntactic analysis raises no particular difficulty. Semantic analysis can be achieved in two ways. First, the transition body may be analyzed line-by-line. This solution requires a significant effort and in-depth knowledge on the internals of **FRAC**.

```
"flatname": "Can_1",
2
  "inst": 1,
  "loc":
    {"from": {"char": 0, "line": 270},
4
     "to": {"char": 0, "line": 364}},
  "name": "Can",
6
  "states": [
     {"flatname": "Can_1_srcv",
8
       "loc":
         {"from": {"char": 7, "line": 272},
10
          "to": {"char": 10, "line": 272}},
       "sourcename": "rcv"},
12
            1,
14
  "transitions":
16
       {"locations": [
  {"from": {"char": 0, "line": 288},
18
          "to": {"char": 11, "line": 288}},
         {"from": {"char": 2, "line": 290},
20
          "to": {"char": 25, "line": 290}},
         {"from": {"char": 25, "line": 290},
22
          "to": {"char": 8, "line": 292}},
         {"from": {"char": 2, "line": 293},
24
           to": {"char": 0, "line": 295}}
26
                      ],
         "name": "Can_1_t1"
       },
28
       . . .
      ],
30
  . . .
```

Listing 4: Excerpt of the ECT model.

For example, **FRAC** sometimes adds internal guards (e.g., guard on true for transition Can\_1\_t1), enriches existing guards (e.g., guard of transition Can\_1\_t0), adds internal assignments, replaces constant identifiers by their value, etc.

Second, the index given in the transitions identifiers (t0, t1, t2, etc.) may be used as the rank of the transition in the source code of the process.

However, the presence of nested non-

deterministic constructs containing quite similar source code makes this task extremely difficult. Moreover, this solution satisfies user requirement REQ-2 only partially as it fails to reach the source code level. To overcome this problem, we rely on the extended compilation trace (ECT) model.

#### **3.3** Solution 3: Use the ECT Model

Solutions 1 and 2 have not succeeded to satisfy all user requirements. Used as black-boxes, the existing tools do not provide sufficient information to associate unequivocally the FIACRE model elements with the TTS model elements: information is so degraded that this association cannot be reconstructed. The last proposal is then to extend the **FRAC** tool in order to export the information lost in translation. Accordingly, we introduce a new trace model, called "Extended Compilation Trace" (ECT) model (label **3** in Figure 3), that is generated when the option "j" of **FRAC** is activated.

The ECT model offers a direct mapping between the FIACRE source code elements and the corresponding constructs in the TTS model. The structure of the ECT reflects the hierarchical organization of the FI-ACRE model. Listing 4 shows a subset of the generated ECT model related to the CAN process. In this example, lines 8-12 associate the generated TTS place identifier Can\_1\_srcv with its corresponding FIACRE source code (sourcename) and its location (character 10 on line 272). This information allows retrieving the FIACRE source code information directly from the TTS. Finally, the path from the TTS model to the debugging model is complete, as shown on Figure 4: all user requirements are satisfied.

#### **3.4 Comparison of Solutions**

In this subsection, we compare the previous solutions by estimating the cost required to recover information degraded during the compilation phase. Figure 4 illustrates this process. In this example, we consider a FIACRE source code containing a process, proc, instantiated in the compo component. The proc process has a transition containing a non-deterministic statement. The first choice has an assignment, x:=x+1, followed by a jump statement to s1 state. The second choice has an assignment, x:=x+2, followed by a jump statement to s1 state. Let us consider the following user requirements:

- **REQ-2a:** the FS shall display the executed FIACRE statements.
- **REQ-2b:** the FS shall display the executed FIACRE statements in the source model.



Figure 4: Assessing solutions.

The problem consists in satisfying those requirements when the TTS transition proc\_1\_t1 is fired during animation.

First, we generate the abstract syntax tree (AST) of the FIACRE model using Xtext. This AST is flattened in order to generate the TTS transitions. Flattening consists in assigning an identifier number to each component/process instance according to its rank in the container component. A similar flattening activity is performed on the choices of the non-deterministic statements in order to generate the body of each TTS transition. As shown on Figure 4, The flattened FIACRE model represents a pivot model between the FIACRE and TTS levels.

To satisfy REQ-a, solution 1 consists in completing the parsing and numbering activities by correlating the different available information (proc, 1 and t1) to the generated ones in the flattened FIACRE model. This process allows identifying the concerned TTS transition and thus extracting the corresponding statements. Moreover, as the source code information (Line 6, Line 11, etc.) is already available in the identified TTS transition after the parsing, numbering, correlation and extracting activities, satisfying REQ-a and REQ-b represent the same costs.

For solution 2, the cost to satisfy REQ-a is negligible because the text of the executed FIACRE statements are already available in the TTS transition. However, the cost to satisfy REQ-b is the same as for solution 1.

For solution 3, the cost to satisfy all requirements is negligible because the new generated traceability information is sufficient to identify the related information at the source code level.

Therefore, solution 3 is adopted now to develop an integrated development environment for the FIACRE language because it can satisfy all end-user requirements on the one hand, and it represents the lowest

## 4 RELATED WORKS

Language engineering tool-sets target the modeling of languages and the implementation of associated tools but the behavioral concerns are usually not handled. More recent toolsets, like xCore, xMOF (Mayerhofer et al., 2013), the K framework (Rosu, 2013) or the GEMOC studio (Combemale et al., 2016) allow to handle it and ease the development of model simulators. However, they usually do not target model checkers except the K framework. But, this one do not allow to manage efficiently the combinatorial explosion of concurrent behaviors and thus does not scale to many realistic models. We could have used these tool-sets to build the FIACRE simulator. Moreover, this could lead to semantic inconsistencies between the behavior considered in the model checker and the behavior considered in the simulator. Thus we decided to study the reuse of parts of the model checker to ensure the same behavior in the simulator.

cost to resolve FIACRE to TTS mappings on the other.

In the literature, exploiting low-level simulation information to feedback it into the end-user level is usually neglected. For example, in the context of the AltaRica project (Prosvirnova et al., 2013), models are compiled into a low level formalism: Guarded Transition Systems (GTS). In this project, the stepwise simulator performs an interactive step by step simulation on the generated GTS model. For the mCRL2 toolset (Cranen et al., 2013), a mCRL2 specification is transformed into a linear process specification on which the simulation activity is performed.

## 5 CONCLUSION AND FUTURE WORK

In this paper, we have shared our experience about reusing existing low-level formal verification and validation tools in order to provide model simulation capabilities to the end-user. It consists on producing dynamic information on the HLL based on runtime information generated on the LLL. This work enabled us to develop a FIACRE simulator which is the result of a long research to hide all TTS information to the FIACRE end-user during the animation of his model. This work has resulted in the implementation of a FI-ACRE simulator tool<sup>4</sup> This is part of an ongoing work to develop a complete FIACRE IDE that will eventually integrate advanced features of model animation like the guided-simulation and the multi-branch simulation.

## REFERENCES

- Abid, N., Dal Zilio, S., and Le Botlan, D. (2014). A formal framework to specify and verify real-time properties on critical systems. *Int. J. Crit. Comput.-Based Syst.*, 5(1/2):4–30.
- Berthomieu, B., Bodeveix, J.-P., Dal Zilio, S., Dissaux, P., Filali, M., Gaufillet, P., Heim, S., and Vernadat, F. (2010). Formal Verification of AADL models with FIACRE and TINA. In *ERTSS 2010*, pages 1–9, Toulouse, France.
- Berthomieu, B., Bodeveix, J.-P., Filali, M., Farail, P., Gaufillet, P., Garavel, H., and Lang, F. (2008). FIACRE: an Intermediate Language for Model Verification in the TOPCASED Environment. In 4<sup>th</sup> European Congress ERTS Embedded Real-Time Software (2008).
- Berthomieu, B., Ribet, P.-O., and Vernadat, F. (2004). The tool TINA – Construction of Abstract State Spaces for Petri Nets and Time Petri Nets. *International Journal* of Production Research, 42(14):2741–2756.
- Bodeveix, J.-P., Filali, M., Garnacho, M., Spadotti, R., and Yang, Z. (2015). Towards a verified transformation from AADL to the formal component-based language FIACRE. Science of Computer Programming, 106:30 – 53. Special Issue: Architecture-Driven Semantic Analysis of Embedded Systems.
- Bourdil, P.-A., Dal Zilio, S., and Jenn, E. (2016a). Integrating Model Checking in an Industrial Verification Process: a Structuring Approach. *LAAS report n° 16115*. https://hal.archives-ouvertes.fr/hal-01341701.
- Bourdil, P.-A., Jenn, E., and Dal Zilio, S. (2016b). Building Confidence on Formal Verification Models. In Fast Abstracts at International Conference on Computer Safety, Reliability, and Security (SAFECOMP), Trondheim, Norway.
- <sup>4</sup>A demo of the simulator can be found here http://projects.laas.fr/fiacre/ide/demo.mov

- Combemale, B., Brun, C., Champeau, J., Crégut, X., Deantoni, J., and Le Noir, J. (2016). A Tool-Supported Approach for Concurrent Execution of Heterogeneous Models. In 8th European Congress on Embedded Real Time Software and Systems (ERTS 2016), Toulouse, France.
- Cranen, S., Groote, J. F., Keiren, J. J. A., Stappers, F. P. M., de Vink, E. P., Wesselink, W., and Willemse, T. A. C. (2013). An Overview of the mCRL2 Toolset and Its Recent Advances, pages 199–213. Springer Berlin Heidelberg, Berlin, Heidelberg.
- Farines, J.-M., De Queiroz, M. H., De Rocha, V., Carpes, A. M., Vernadat, F., and Crégut, X. (2011). A Model-Driven Engineering Approach to Formal Verification of PLC programs (regular paper). In *Emerging Technologies and Factory Automation (ETFA), Toulouse, France*, pages 1–8. IEEE.
- Mayerhofer, T., Langer, P., Wimmer, M., and Kappel, G. (2013). *xMOF: Executable DSMLs Based on fUML*, pages 56–75. Springer International Publishing, Cham.
- Prosvirnova, T., Batteux, M., Brameret, P.-A., Cherfi, A., Friedlhuber, T., Roussel, J.-M., and Rauzy, A. (2013). The AltaRica 3.0 project for model-based safety assessment. *IFAC Proceedings Volumes*, 46(22):127 – 132.
- Rangra, S. and Gaudin, E. (2014). SDL to FIACRE translation. In *Embedded Real-Time Software and Systems* (ERTS 2014).
- Rodrigues, L., Y, M. G., and Rufino, J. (1998). Faulttolerant clock synchronization in can. In *In Proc. of the 19th Real-Time Systems Symposium (RTSS*, pages 420–429. IEEE Computer Society Press.
- Rosu, G. (2013). Specifying languages and verifying programs with k. In *Proceedings of 15th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC'13)*, IEEE/CPS. IEEE.
- Visser, W., Dwyer, M. B., and Whalen, M. (2012). The Hidden Models of Model Checking. *Software & Systems Modeling*, 11(4):541–555.
- Zalila, F., Crégut, X., and Pantel, M. (2012). Verification results feedback for FIACRE intermediate language. In *Conférence en Ingénierie du Logiciel (CIEL)*.
- Zalila, F., Crégut, X., and Pantel, M. (2013). Formal verification integration approach for DSML. In Moreira, A., Schätz, B., Gray, J., Vallecillo, A., and Clarke, P., editors, *Model-Driven Engineering Languages and Systems*, volume 8107 of *Lecture Notes in Computer Science*, pages 336–351. Springer Berlin Heidelberg.