The Lotos Model of a Fault Protected System and its Verification Using a Petri Net Based Approach

Having introduced a novel Petri net based method for the verification of Lotes specifications [Barb 90a], this paper demonstrates its practical interest. Contrary to other similar Petri net based techniques, our approach avoids to build the whole Petri net from the Lotos specification before verification. In contrast to finite automata based methods, our method can analyse Lotos systems with unbounded state spaces. Our method is founded on a Place/Transitionnet Lotos semantics. The method is applied to the verification of the Lotos model of fault protected system. 1. I n t r o d u c t i o n Lotos [ISO 88] is a specification language for protocols and distributed applications. In this paper, we consider a Lotes specification which models the fault protection aspect of a small system. This system consists of two unreliable pieces of equipment and a standby equipment. InitiMly, the system is working and protected. When a failure occurs, the standby is substituted for the failed piece of equipment and the whole system moves to the ~working-unprotected" state. If a second equipment failure occurs, the whole system moves to the ~failed" state. To describe this model, only a subset of Lotos called Basic Lotos is required. Basic Lotos is introduced in w 2 whereas the Lotos model of the fault protected system is presented in w 3. The dynamic semantics of Lotos is defined formally. This means that formal verification is possible. Our verification method is based on Petri net theory. Petri net verification techniques are transferred to Lotos. So far, two transfer approaches have been proposed. A first approach consists of translating Lotos specifications into Petri nets and evaluating the properties on the equivalent Petri net models [Gara 90, and Marc 89]. We proposed a second approach which involves no translation from one formalism to another [Barb 90a]. We adapted to Lotos the well known Place/Transition-net (P/T-net) teachability analysis technique, namely, the Karp and Miller procedure [Karp 69]. In w 4 of this paper, we apply this technique for the verification of the Lotos specification of a fault protected system.