Deriving Specifications of Dependable Systems: toward a Method

This paper proposes a method for deriving formal specifications of systems. To accomplish this task we pass through a non trivial number of steps, concepts and tools where the first one, the most important, is the concept of method itself, since we realized that computer science has a proliferation of languages but very few methods. We also propose the idea of Layered Fault Tolerant Specification (LFTS) to make the method extensible to dependable systems. The principle is layering the specification, for the sake of clarity, in (at least) two different levels, the first one for the normal behavior and the others (if more than one) for the abnormal. The abnormal behavior is described in terms of an Error Injector (EI) which represents a model of the erroneous interference coming from the environment. This structure has been inspired by the notion of idealized fault tolerant component but the combination of LFTS and EI using rely guarantee thinking to describe interference can be considered one of the main contributions of this work. The progress toward this method and the way to layer specifications has been made experimenting on the Transportation and the Automotive Case Studies of the DEPLOY project.

💡 Research Summary

The paper introduces a systematic method for deriving formal specifications of dependable systems, addressing the gap between the abundance of modeling languages and the scarcity of coherent methods in computer science. Central to the approach is the concept of Layered Fault‑Tolerant Specification (LFTS), which partitions a system’s specification into at least two distinct layers: a “normal” layer that captures intended functional behavior, and one or more “abnormal” layers that describe how the system should react to faults. The abnormal layers are expressed through an Error Injector (EI), a virtual component that deliberately injects erroneous interactions representing environmental faults, communication delays, sensor failures, or any other disturbance that may affect the system.

To reason about the interaction between normal and abnormal layers, the authors adopt the rely‑guarantee framework. In this setting, the normal layer provides guarantees about its own behavior, while the abnormal layer assumes certain “rely” conditions supplied by the EI. This separation enables independent verification of each layer: functional correctness can be proved for the normal layer, and fault‑tolerance properties can be proved for the abnormal layers under the assumed fault models. The rely‑guarantee reasoning also facilitates compositional verification, allowing the use of existing model‑checking or theorem‑proving tools without requiring a monolithic specification.

The method is validated through two case studies from the DEPLOY project: a transportation system (traffic‑signal control) and an automotive braking controller. In the transportation case, the normal specification models the timing and sequencing of traffic lights, while the EI models sensor loss, message loss, and electromagnetic interference. Verification shows that the controller maintains safe traffic flow even when the EI injects these faults. In the automotive case, the normal layer describes the braking algorithm, and the EI models ECU failures, voltage spikes, and CAN‑bus errors. The layered specification demonstrates that the braking system can detect and safely degrade performance under the injected fault scenarios. Both studies confirm that LFTS combined with EI yields clearer, more maintainable specifications and enables systematic fault‑tolerance analysis.

Beyond the case studies, the authors argue that LFTS and EI are language‑agnostic; they can be instantiated in UML, SysML, Event‑B, CSP, or other formal notations, making the method adaptable to a wide range of engineering environments. However, the paper also acknowledges challenges: constructing an EI that faithfully represents real‑world fault distributions can be difficult, and managing multiple abnormal layers may increase specification overhead. Future work is suggested in the areas of automated EI generation, tool support for extracting inter‑layer contracts, and scalability studies on large‑scale systems. In summary, the paper contributes a novel, layered approach to dependable system specification that bridges functional correctness and fault tolerance, providing a practical pathway from high‑level requirements to formally verified, resilient designs.