Generic Methodology for Formal Verification of UML Models

This paper discusses a Unified Modelling Language (UML) based formal verification methodology for early error detection in the model-based software development cycle. Our approach proposes a UML-based formal verification process utilising functional and behavioural modelling artifacts of UML. It reinforces these artifacts with formal model transition and property verification. The main contribution is a UML to Labelled Transition System (LTS) Translator application that automatically converts UML Statecharts to formal models. Property specifications are derived from system requirements and corresponding Computational Tree Logic (CTL)/Linear Temporal Logic (LTL) model checking procedure verifies property entailment in LTS. With its ability to verify CTL and LTL specifications, the methodology becomes generic for verifying all types of embedded system behaviours. The steep learning curve associated with formal methods is avoided through the automatic formal model generation and thus reduces the reluctance of using formal methods in software development projects. A case study of an embedded controller used in military applications validates the methodology. It establishes how the methodology finds its use in verifying the correctness and consistency of UML models before implementation.

A Pipeline DNA Approach Within Fitness-For-Purpose Assessments

Establishing a robust knowledge of material properties forms the basis of any FFP assessment. In light of the revised Federal Pipeline Safety Regulations in the US, operators of gas transmission pipelines are required to possess Traceable, Verifiable and Complete (TVC) records for input into FFP assessments and to support MAOP. ROSEN has been engaged by several operators to reconfirm the MAOP along the full pipeline length using the Engineering Critical Assessment (ECA) approach. This is a data integration approach using multiple ILI technologies to detect, identify and quantify the inputs required for a robust FFP assessment. A crucial aspect was the use of TVC material properties in the ECA, in which the RoMat Pipe Grade Sensor (PGS) service was used as the foundation for material property verification, ensuring accurate material properties are used in the ECA. Traditionally, ILI has not been able to provide strength data. However, with the addition of ROSEN’s Pipe Grade Sensor (PGS) technology, pipe populations; defined as a group of pipes with shared material properties and characteristics, can now be reliably identified and a strength grade assigned to each population. New NDT technologies already available on the market allow us to increase the confidence within the population assessment as well as further characterize the populations of pipes. This “Pipeline DNA” approach, incorporating both the PGS technology and in-field material property verification, ensures accurate or representative material properties are used in any future integrity studies. This paper describes the ROSEN approach to “Pipeline DNA”, and how it can be used in combination with material verification as a foundation for FFP assessments in an effort to reconfirm MAOP.

MAOP Reconfirmation for a 20 Inch Gas Pipeline Using the ECA Method and Enhanced ILI

In light of the revised Federal Pipeline Safety Regulations, active from July 1, 2020, operators of gas transmission pipelines are faced with the task of reconfirming pipeline MAOP in a prescriptive set of circumstances. This requirement is defined in section 192.624 of 49 CFR 192. Louisville Gas & Electric (LGE) is operating a pipeline with an MAOP established using a combination of partial and full traceable, verifiable and complete (TVC) documentation and the ‘grandfathering’ clause defined by 192.619(a)(3). LGE has developed a plan and embarked on the process of reconfirming the MAOP using Method 3 – Engineering Critical Assessment (ECA). The pipeline is 20 inch diameter and predominately 0.25 inch wall thickness. It was originally constructed from vintage ERW pipe circa. 1960 to 1970 and is 29.86 miles long. There have been no reportable incidents on the line. There are various HCAs, Class 3 and Class 4 locations, and newly defined MCAs (per 192.3) along the line. The approach taken by the operator is to reconfirm the MAOP along the full pipeline length to cover the possibility of class location changes in the future. MAOP Reconfirmation via method 3 is detailed in clause 192.632. A critical element of an ECA per method 3 is the implementation of various ILI technologies to detect, identify, and size target threats. ROSEN provided an enhanced program of ILI including technologies to assess material properties, and crack-like/metal-loss anomalies. A critical aspect of method 3 is the use of appropriate material properties in the ECA. The operator deployed the RoMat PGS ILI system as the foundation for material property verification process to fulfill the requirements of clause 192.607 of 49 CFR 192, a requirement to establish ‘unknown material properties’. This paper describes the comprehensive work performed by the partnership of ROSEN and LGE to establish and fulfill the MAOP reconfirmation process. Such a large ILI program is a significant undertaking considering the associated data-integration, operational and engineering details that have to be addressed. This paper presents the methodologies used for each stage of the ECA process and how the ILI and material verification results were used to determine predicted failure pressures and remaining life. By satisfying the regulations, the operator has established a process to manage pipeline integrity, reduce risk, and reconfirm MAOP.

SGAC: A Multi-Layered Access Control Model with Conflict Resolution Strategy

This paper presents SGAC (Solution de Gestion Automatisée du Consentement / automated consent management solution), a new healthcare access control model and its support tool, which manages patient wishes regarding access to their electronic health records (EHR). This paper also presents the verification of access control policies for SGAC using two first-order-logic model checkers based on distinct technologies, Alloy and ProB. The development of SGAC has been achieved within the scope of a project with the University of Sherbrooke Hospital (CHUS), and thus has been adapted to take into account regional laws and regulations applicable in Québec and Canada, as they set bounds to patient wishes: for safety reasons, under strictly defined contexts, patient consent can be overriden to protect his/her life (break-the-glass rules). Since patient wishes and those regulations can be in conflict, SGAC provides a mechanism to address this problem based on priority, specificity and modality. In order to protect patient privacy while ensuring effective caregiving in safety-critical situations, we check four types of properties: accessibility, availability, contextuality and rule effectivity. We conducted performance tests comparison: implementation of SGAC versus an implementation of another access control model, XACML, and property verification with Alloy versus ProB. The performance results show that SGAC performs better than XACML and that ProB outperforms Alloy by two order of magnitude thanks to its programmable approach to constraint solving.