(IJCNS) International Journal of Computer and Network Security, 1

Vol. 2, No. 5, May 2010

A Model-driven Approach for Runtime Assurance

of Software Architecture Model
Yujian Fu1, Xudong He2, Sha Li3, Zhijiang Dong4 and Phil Bording5
1
Alabama A&M University, School of Engineering & Technology,
4900 Meridian Street, Normal AL 35762, USA
Yujian.fu@aamu.edu
2
Middle Tennessee State University, College of Basic and Applied Sciences,
1301 East Main Street, Murfreesboro, TN 37132, USA
zdong@mtsu.edu
3
Florida International University, School of Computing and Information Science,
11200 SW 8th Str, Miami, FL 33199, USA
Hex@cs.fiu.edu
4
Alabama A&M University, School of Engineering & Technology,
4900 Meridian Street, Normal AL 35762, USA
Phil.bording@aamu.edu
5
Alabama A&M University, School of Education,
4900 Meridian Street, Normal AL 35762, USA
Sha.li@aamu.edu

notations of UML. As a result, UML has been adapted for

Abstract: Unified Modeling Language (UML) has been widely
accepted for object-oriented system modeling and design, and
has also been adapted for software architecture descriptions in
recent years. Although, the use of UML for software
architecture representation has the obvious benefits of
facilitating learning and comprehension, UML lacks precise
semantics for defining key features of software architecture
level entities. In this paper, we present an approach to map a
UML architecture description into a formal specification model
called SAM, which serves as a semantic domain for defining the
precise semantics of the UML description and supports formal
analysis. Furthermore, when the UML architecture description
contains sufficient details, an implementation from the resulting
SAM architecture description to Java code can be automatically
generated from our existing SAM translator tool. The generated
Java code contains monitoring checkers for run-time
verification. Therefore, our approach provides not only a
method of formal analysis to detect design errors, but also a
technique to automatically generate executable code with run-
time verification capability, which effectively eliminates the
tedious, labor intensive, and error-prone manual coding process.
Keywords: Software architecture, UML, runtime verification,
temporal logic, Petri nets.
1. Introduction
Software architecture is a high level representation of a
software design, which can significantly impact the overall
system development as well as future system maintenance
and evolution. The importance of software architecture
design and description has been widely recognized in the
past decade. As a result, many architecture description
languages (ADLs) have been proposed. Most of these ADLs
are based on some formal methods. Although the formal
basis of an ADL enables some early design level analysis,
the formality and peculiar syntax of an ADL often hinder its
wide acceptance.
In contrast, UML has been widely accepted for object-
oriented system modeling and design. Software architects
and designers are familiar with the main features and
software architecture descriptions in recent years [21, 16,
30]. Defining software architecture using UML has the
following advantages: graphical, extensible, and capable of
representing both structural and behavioral aspects. In
addition, the UML architecture level representation provides
a simple transition or relation to a detailed object-oriented
design also described in UML.
As a general-purpose object-oriented modeling language,
UML does not directly provide constructs needed for
software architecture modeling, such as architectural
configurations, connectors, and styles. Although a UML
component diagram can be used to describe the organization
of a software system in terms of its components and
interconnections at specification level, it is unclear that how
to instantiate component interfaces and dependency
relationships and how to associate interaction protocols with
component dependencies.
Several research works explored the integration of UML
with some existing ADLs [31]. Among these works, three
approaches can be identified. In the first approach, rules are
provided to translate architectural descriptions between a
particular ADL and UML. In the second approach, key
constructs are added to standard UML to represent software
architecture, which often results in a large and complex
language that is hard to understand and use. In the third
approach, UML’s built-in extension mechanisms such as
stereo-types and tagged values are tailored for architecture
description. None of the above approaches address the issues
of code generation from an architecture description and the
verification of generated code.
In this paper, we present an integrated approach that
combines the ideas of the 1st and the 3rd approaches
mentioned above, as well as code generation from an
architecture description. This approach maps a UML
architecture description into a formal software architecture
model called SAM, which serves as a semantic domain for
defining the precise semantics of the UML description and
supports formal analysis. Furthermore, when the UML
2 (IJCNS) International Journal of Computer and Network Security,
architecture description contains sufficient details, an
implementation from the resulting SAM architecture
description to Java code can be automatically generated
from our existing SAM translator tool.
The paper proceeds as follows: Section 2 gives some
background information. Section 3 describes our approach
to mapping UML architecture description to SAM model;
Section 4 gives an example of the approach applied an
embedded system example and evaluates the approach;
Section 5 describes related work and Section 6 concludes.
2. Preliminaries
In this section, we provide a brief introduction to software
architecture documentation, UML, and SAM.
2.1 Software Architecture Viewpoints
Although, there is not a universally accepted way in
documenting software architecture design. The component
and connector (C&C) view, showing the dynamic behavioral
aspect of a software system, proposed in [35] is no doubt an
essential one, which has been the target used in the
development of many software architecture description
languages. The C&C view is also included in the work of
the Software Engineering Institute (SEI) [30], where the
authors presented three view types - module, component and
connector, and allocation view in documenting software
architecture design; and provided guidelines of how to use
UML to document these architecture view types. With
regard to the representation of the C&C view, three
strategies are demonstrated: using component types as
classes, subsystems, or real-time profiles. Since the behavior
of each class and object is described by the state charts
diagram, the behavior of the system represented by the class
diagram can be a group of state charts diagram with
interactions.
2.1 SAM – Software Architecture Model
SAM is an architectural description model based on Petri
nets [29], which are well-suited for modeling distributed
systems. SAM [15] has dual formalisms underlying – Petri
nets and Temporal logic. Petri nets are used to describe
behavioral models of components and connectors while
temporal logic is used to specify system properties of
components and connectors.
SAM (Software Architecture Model) is hierarchically
defined as follows. A set of compositions C = {C1, C2, …,
Ck} represents different design levels or subsystems. A set of
component Cmi and connectors Cni are specified within each
Figure 1. Overall Structure of Our Approach
Vol. 2, No. 5, May 2010
composition Ci as well as a set of composition constraints
Csi, e.g. Ci = {Cmi, Cni, Csi}. In addition, each component or
connector is composed of two elements, a behavioral model
and a property specification, e.g. Cij = (Bij, P ij). Each
behavioral model is described by a Petri net, while a
property specification by a temporal logical formula. The
atomic proposition used in the first order temporal logic
formula is the ports of each component or connector. Thus
each behavioral model can be connected with its property
specification. A component Cmi or a connector Cni can be
refined to a low level composition Cl by a mapping relation
h, e.g. h(Cmi ) or h(Cmi ) = Cl. SAM is suitable to describe
large scale systems’ description.
SAM gives the flexibility to choose any variant of Petri nets
and temporal logics to specify behavior and constraints
according to system characteristics. In our case, Predicate
Transition (PrT) net [11] and linear temporal logic (LTL)
are chosen.
3. Our Approach
Our approach takes a software architecture description based
on the C&C view and documented using the UML, and
produces a formal software architecture description in SAM.
More specifically, in the UML software architecture
description:
a) A class diagram is used to model the overall
structure of a software architecture,
b) State chart diagrams are used to define the behavior
of individual components and connectors, and
c) OCL is used to specify architecture level
constraints.
The above UML notations are mapped to SAM entities as
follows:
a) The class diagram is mapped to an overall
hierarchical SAM structure,
b) State chart diagrams are mapped to PrT nets, and
c) OCL expressions are mapped to temporal logic
formulae.
The resulting SAM model can be analyzed with various
existing formal analysis techniques including model
checking.
Furthermore, to improve the productivity and quality, we
provide an automated realization of the resulting SAM
model. We have designed and implemented a tool, named
SAM parser, with the PrT-XML and temporal logic-XML
transformation. Figure 1 shows the overall structure of the
approach.
 (IJCNS) International Journal of Computer and Network Security, 3
b)
3.1 Mapping from State-charts to SAM
Composition
It is straightforward to map each class into a composition
in a SAM model. In this section, we mainly focus on the
mapping from state charts to a SAM composition.
A statechart diagram specified the states that an object
can inhabit in, describes the events triggered flow of
control and actions responded from the system, as the
result of the objects reactions to events from the
environment. The semantics of statecharts is based on the
run-to-completion assumption [1]. A State is an abstract
metaclass that models a situation during which some
(usually implicit) invariant conditions hold. The structure
of a state vertex, defined by the following function
children, incarnates the hierarchy of state machines.
Definition 1 (Children). Let S be a set of state vertices.
The function children: S defines for each state the set of
its direct substates.
c)
We define childreni (s) = {s’|s’ ∈ childreni-1(s)} for i > 1.
Thus the function children+(s) = ∪i>0childreni (s) defines
for each state a set of its transitively nested substates.
Incoming events are processed one at a time and an event
can only be processed if the processing of the previous
event has been completed – when the statechart
component is in a stable state configuration. In our study,
we considered the events and actions defined by the
methods which are specified in the corresponding classes.
Thus we can obtain more detailed implementation
information. To map the state chart diagram to SAM
composition, we present a translation algorithm (fT) in the
following steps.
a) Each super state S, where children(S) ≠ Φ, is
mapped into a composition C in SAM model, i.e.,
fT(S) = Ci , where children(S) ≠ Φ.
Figure 2. Translated SAM Model of States Fork and Join
Vol. 2, No. 5, May 2010
Each substate s ∈ S, where children(S) = Φ, is
mapped into a component Cm ∈ C. We have fT(S)
= Cm, where children(S) = Φ, Cm ∈ C, and Cm =
< Bm, P m> . Let S be < En,Ex,Do,A,G> , where En,
Ex, Do, and A represent entry, exit, do and other
regular actions taken inside the states
respectively, G denotes the guard of any actions.
b.1 The behavior model of the component (Bm) is
described by following mapping:
fT(S) = <<pt_in, ten>, <pt_out, tex>, ti, gt >, where
pt_in, and pt_out denote input and output port
respectively, ten and tex denotes transitions that
are corresponding to entry and exit action
respectively, ti denotes transitions that
corresponding to the do action and other
internal actions, gt denotes the internal
transition’s guard function.
b.2 The property specified (P m) by OCL can be
transformed into first order (or propositional)
logic and temporal logic.
Pseudo states include initial, History, join, fork,
junction and choice. We use some special tokens
to denote and symbolize the pseudo states.
• Initial state is mapped to a token < “init” > in
an input port of the component as initial
marking.
• History state is mapped to some token in a
place. The sort of the token would be
<History, OtherTokens >.
• Fork and junction states are special states that
represent the splitting of a single flow of
control and the synchronization of concurrent
flows of control. Generally there is no label
for the input and output transitions. In the
component we use a special token < “Fork” >
or < “Join” > to represent them. Fig. 2
illustrates the translation of these two special
states.
4 (IJCNS) International Journal of Computer and Network Security,
S toUpper(), Concat() have no images in the logic
d) A transition t inside the super state S is mapped
into a connector Cn ∈ C. Let S be < E,A,Valr ,G> .
In this case, we have:
fT (< E,A,Valr ,G> ) = <<pt_in, t>, <pt_out, t>, tk,
gt_internal>, where E denotes trigger event or
action, A denotes action, pt_in, and pt_out denote
input and output port respectively, t denotes
transition, tk denotes tokens in the ports, Valr
denotes returned value of the action A, and G
denotes guard of the label, gt_internal denotes the
internal transition’s guard function.
e) Generally, we can merge the place holding the
return value for entry action with the place
holding the parameters for the do action, the
holding the return value for do action with the
place holding the parameters for the exit action.
From above translation algorithm (fT), we can realize a
mapping relation between each item in the state-chart
diagram and the SAM architecture model. This
translation algorithm (fT) is meaningful for the formal
verification of UML architecture document.
3.2 Mapping from OCL to First Order Temporal
Logic
In the translation from OCL to first order and temporal
logic, it is worth to note that following features of OCL
restrict the translation to temporal logic.
1. There is not timing concept in the OCL
specification.
2. There is not object concept in the temporal logic
specification.
3. OCL is an implementation-based and oriented
specification language, while temporal logic is a
high level specification language. Thus there is not
type system, data structure, condition and flow
control sentence in temporal logic.
4. Finally, OCL is 3-value function logic (true, false,
and undefined,) while temporal logic is a 2-value
logic.
Considering the above features and difference between
OCL and temporal logic and first order logic, we decide
to map OCL expression to the first order logic with the
following concerns:
• Context: It indicates the scope of the entity. It can be
translated to the quantifiers ∀ or ∃. The difference is
that the scope of the quantifiers in the OCL context
generally is finite.
• Navigation: Navigation through association either
results in a Set(Object) or in a Seq(Object) if
association is marked as ordered. We can use a
quantifier ∃ on Set(Object), Seq(Object) or Collection,
since the later two also have the set concept. In
addition, select and reject used in the Collection can
be mapped to the quantifiers ∀ and ∃, since they
restrict the scope of instances.
• forall and exists: are obviously translated into
quantifiers ∀ and ∃.
• allinstance: It semantically matches ∃.
• operations, attributes: All predefined boolean
operations can be mapped into first order logic
operations. All mathematic operations can be used
Vol. 2, No. 5, May 2010
directly. Some other predefined operations, such as
domain. Attributes can be (atomic) predicates in the
first order or propositional logic.
• invariants: This means that the constraints are always
holding in the context, thus it is a context-specific
safety property:  invariants
• pre- and post-condition: can be mapped to the
following temporal formula precondition → ⋄
postcondition. In the case that it is an invariants, we
have  (precondition → ⋄postcondition)
• let-in clause: let clause defines some variables used in
the in clause. In the in clause, you can use any
defined syntax in the OCL.
• if-then-else clause: Let use format if cond then r1 else
r2, we have the logic formula as follows
cond → r1 ∨ r2.
• previous value @pre: The postfix @pre refers to a
value of a property at the start of an operation in a
postcondition. In this case we have to record the
previous value and then invoke the value through
some method since there is not a corresponding
mapping in the logic.
3.3 Tool Support – SAM Translator
Runtime verification, composed of a software module and
an observer, monitors the execution of a program, and
checks its conformity with a requirement specification,
often written in a temporal logic. Runtime verification
can be applied to evaluate automatically test runs, either
on-line or o_-line, analyzing stored execution traces; or it
can be used on-line during operation, potentially steering
the application back to a safety region if a property is
violated. It is highly scalable. Several runtime verification
systems have been developed, such as JPaX [14], Java-
MAC [17], etc..
We have developed a runtime monitoring system, SAM
Parser, on Software Architecture Model (SAM) [15]
whose behavior is modeled by Petri Nets and properties
by temporal logic. To validate the translated state charts
model, we adapted it to SAM parser to reuse that tool. We
introduce the SAM Parser simply introduced in the
following.
Input: The runtime checker has to have two input data:
transformed SAM model and temporal logic. These data
are specified in the PNML and XML format.
Code Generation: The code of SAM model and temporal
logic and first order logic formulae are automatically
generated from the input files. In our work, we construct
a class as a child of templates for each net, place,
transition, arc, inscription, initial marking, and guard.
The reason for this is to make it easier to understand and
maintain. For example, the user can provide a more
efficient way to check the enableness of a transition and
the way to fire it by replacing methods of corresponding
classes without any side effects on other transitions. The
execution of generated code is non-deterministic, i.e. we
choose an enabled transition and a valid assignment
randomly to fire. It is hard to generate code automatically
given a Petri net due to the complexity of sorts, guard
conditions of transition and arc labels [25]. If some
restrictions[10] are satisfied, we can achieve it.
 (IJCNS) International Journal of Computer and Network Security, 5
Temporal logic and first order logic formulae are
transformed into automata by a logic engine Maude ([5]).
These translated automata will feed into our runtime
checker generator to produce monitors for different
formulae.
Runtime Checker Generation: Runtime checkers are
generated by breaking the temporal logic formula into
subformulae and creating a matrix for the formula [33].
In order to generate monitoring codes for properties
(linear temporal formulae), a logic server, Maude [5] in
our case, is necessary. Maude, acting as the main
algorithm generator in the framework, constructs an
e_cient dynamic programming algorithm (i.e. monitoring
code) from any LTL formula [33]. The generated
algorithm can check if the corresponding LTL formula is
satisfied over an event trace.
4. An Application of the MDA Approach
We present an instance of our approach in a statechart
diagram, which is one of the state machine in the UML
models, through a case study. The case study deals with a
simplified cruise control system adapted from [13]. In
this section we will first introduce the cruise control
system and a state chart diagram for the cruise controller.
Then we present some properties of this example. Finally,
the runtime verification results are discussed.
4.1 Cruise Control System and UML Documentation
The purpose of a cruise control system is to accurately
maintain the driver’s desired set speed, without
4.2 Experiment Results and Discussion
The time of generated code with monitors is 4.3s. We
checked 5 properties covering 5 components and 4
connectors.
Since the events and actions are defined by the methods
which are specified in the corresponding classes, each
fired transition represents a method is operated under
some guard condition. The properties specified in the
OCL expressions for the state chart diagram is mapped to
temporal formulae and further used to generate monitors.
5. Related Work
Our MDA approach and the presented framework integrate
two aspects: software architecture with UML design
notation and its extension. Moreover, our approach also
provided a runtime validation and verification technique by
using SAM Parser. The related works are discussed in the
following.
Formal Modeling and Analysis of Architecture
Descriptions in UML: Our work has been influenced by a
large body of research and practical experience. In the
interest of brevity, we only compare it to the most relevant
approaches. The work reported in this paper relates to works
that focus on specifying structural and possibly behavioral
aspects of a software system using UML. The representative
UML architecture description examples are provided by
Kruchten [21], Hofmeister et al. [16] and Clements et al.
[31]. Although several researchers have explored the formal
Vol. 2, No. 5, May 2010
intervention from the driver, by actuating the throttle-
accelerator pedal linkage. A modern automotive cruise
control is a control loop that takes over control of the
throttle, which is normally controlled by the driver with
the gas pedal, and holds the vehicle speed at a set value.
We assume an automatic transmission vehicle. When
turned on by the driver, a cruise-control system (CCS)
automatically maintains the speed of a car over varying
terrain. The CCS can be turned on by pressing Start
button, and enabled by pressing SetSpeed button. Resume
button will enable the CCS at the last maintained speed
when the brake is released. The cruise control function is
disabled when the brake or accelerator pedal is pressed.
Pressed once Resume button can increase the speed with
1mph and the SetSpeed button can decrease the speed
with 1mph when the cruise control function is enabled.
The cruise control system should be automatically
disabled when the speed is below 25mph and above
90mph. For the space limit, we cannot show the UML
diagram and generated code. Each place or port must
carry its state information which is also ignored in the
tables. Finally, we have to point out that the guard
function for a transition has to be added some more
restrictions for the evaluations. For instance, if there is a
token “void” in the input place of a transition, it means
the previous action does not have return value, we have to
justify that field to evaluate the firing condition of the
transition. This means that automatically mapping a
guard condition in a state chart diagram to a guard
function is not sufficient in some cases.
All properties are true if the conditions and guard are
satisfied. We also check some conditions that is not
suitable for the method, such as different parameters
feeding for the method that makes the guard is not
satisfied, in that case the formula is evaluated as false.
The Results are consistent with what we expected from
the state chart diagram. Finally, we also find a mapping
mistake in the component Accelerating and component
Decelerating when we check properties relative to them.
We modified the mapped SAM composition according to
the checking results.
analysis of generic UML object-oriented designs [7, 34, 12,
24, 4, 26, 35], their results may not be ready applicable to
UML architecture level designs.
Code Generation from the UML Description and
Verification in the Implementation:
There is a significant amount of research that considers
mappings from UML to other (mostly formal) modeling
techniques to validate UML models (e.g. using B [22], CSP
[8], SPIN [23], PVS [2], Petri Nets [27, 38], Z/Eves [3] and
the work with Object-Z [19, 20, 18, 39]). These works focus
on the mapping from UML diagrams to formal methods for
model checking or some specification language for the
model checkers. Moreover, less of them address the code
generation and verification in the implementation level.
Property Specification – OCL Expression and Temporal
Logic: Various methodologies proposed to deal with the
property specification of object-oriented systems. There are
two main streams to cooperate OCL with temporal logics,
one is extending OCL with temporal notations ([31, 9, 37]
6 (IJCNS) International Journal of Computer and Network Security,
etc.), another is add object concepts into temporal logics
([6]). The work in both streams increases the complexity of
the extended language and obstacles of the usage.
6. Conclusion and Future Works
In this paper, we have presented an integrated approach for
transferring an architecture description represented in UML
to a formal architecture model represented in SAM, which
not only supports design level analysis but also automated
code generation with run-time verification capability. The
specific details of the approach, outlined in the algorithms
in Section 3, are likely to evolve as our research on the
relationship between UML and software architectures
deepens; however, we believe that the approach is flexible
and general enough to accommodate needed new changes.
As pointed out by Medvidovic in the work [27] ensuring
system properties at the level of architecture is of little value
unless it can also be ensured that those properties will be
preserved in the resulting implementation. This reflects the
importance of the code generation and runtime verification
of system properties in the implementation. Our automated
code generation and run-time verification approach nicely
addresses the above research issue.
Acknowledgements We appreciate for all reviewers to read
this paper. This work is supported by Title III under grant
PO31B085057-08.
References
[1] Uml 2.0 specification. http://www.omg.org/
technology/documents/formal/uml.htm.
[2] Enhancing Structured Review with Model-Based
Verification. IEEE Transaction on Software
Engineering, 30(11):736–753, 2004. Member-Issa
Traore and Member-Demissie B. Aredo.
[3] N. Am´alio, S. Stepney, and F. Polack. Formal proof
from uml models. In ICFEM’04, volume 3308 of
Lecture Notes in Computer Science, pages 418–433,
2004.
[4] D. B. Aredo. Semantics of UML statecharts in PVS. In
Proceeding of 12th Nordic Workshop on Programming
Theory, Bergen, Norway, 2000.
[5] M. Clavel, F. J. Dur´an, S. Eker, P. Lincoln, N. Mart´ı-
Oliet, J. Meseguer, and J. F. Quesada. Maude:
Specification and Programming in Rewriting Logic.
http://maude.csl.sri.com/papers, March 1999.
[6] D. Distefano, J.-P. Katoen, and A. Rensink. On a
Temporal Logic for Object-Based Systems. In S. F.
Smith and C. L. Talcott, editors, Formal Methods for
Open Object-Based Distributed Systems IV - Proc.
FMOODS’2000, Stanford, California, USA, September
2000. Kluwer Academic Publishers.
[7] Z. Dong and X. He. Integrating UML State-chart and
Collaboration Diagrams Using Hierarchical Predicate
Transition Nets. In GI Lecture Notes in Informatics,
2001.
[8] G. Engels, R. Heckel, and J. M. K¨uster. Rule-based
specification of behavioral consistency based on the
UML meta-model. volume 2185, pages 272–284, 2001.
Vol. 2, No. 5, May 2010
[9] S. Flake and W. Mueller. An OCL extension for real-
time constraints. In Object Modeling with the OCL,
pages 150–171, 2002.
[10] Y. Fu, Z. Dong, and X. He. A Methodology of
Automated Realization of a Software Architecture
Design. In Proceedings of The Seventeenth
International Conference on Software Engineering and
Knowledge Engineering (SEKE2005), 2005.
[11] H. J. Genrich. Predicate/Transition Nets. Lecture Notes
in Computer Science, 254, 1987.
[12] M. Gogolla and F. P. Presicce. State Diagrams in UML:
A Formal Semantics using Graph Transformations. In
Proceedings of International Conference of Software
Engineering, Workshop on Precise Semantics of
Modeling Techniques, pages 55–72, 1998.
[13] H. Gomaa. Designing Concurrent, Distributed, and
Real-Time Applications with UML. Addison-Wesley
Professional, 2000.
[14] K. Havelund and G. Rosu. An overview of the runtime
verification tool java pathexplorer. Journal of Formal
Methods in System Design, 2004.
[15] X. He and Y. Deng. A Framework for Specifying and
Verifying Software Architecture Specifications in SAM.
volume 45 of The Computer Journal, pages 111–128,
2002.
[16] C. Hofmeister, R. L. Nord, and D. Soni. Describing
Software Architecture with UML. In Proceedings of the
TC2 1st Working IFIP Conference on Software
Architecture (WICSA1), pages 145 – 160, 1999.
[17] M. Kim, S. Kannan, I. Lee, and O. Sokolsky. Java-
MaC: a Run-time Assurance Tool for Java. In
Proceedings of RV’01: First International Workshop
on Runtime Verification, Paris, France, Electronic
Notes in Theoretical Computer Science. Elsevier
Science, 2001.
[18] S.-K. Kim, D. Burger, and D. Carrington. An mda
approach towards integrating formal and informal
modeling languages. In FM 2005: Formal Methods,
International Symposium of Formal Methods Europe,,
volume 3582 of Lecture Notes in Computer Science,
pages 448–464, 2005.
[19] S.-K. Kim and D. Carrington. Formalizing the UML
Class Diagrams Using Object-Z. In UML’99: The
Unified Modeling Language - Beyond the Standard,
Second International Conference, volume 1723 of
Lecture Notes in Computer Science, 1999.
[20] S.-K. Kim and D. Carrington. A Formal Mapping
between UML Models and Object-Z Specifications.
Lecture Notes in Computer Science, volume 1878,
pages 2–21, 2000.
[21] P. Kruchten. The 4+1 view model of architecture. IEEE
Software, 12(6):42–50, 1995.
[22] K. Lano, D. Clark, and K. Androutsopoulos. UML to B:
Formal Verification of Object-Oriented Models. volume
2999 of Lecture Notes in Computer Science, pages 187–
206,2004.
[23] D. Latella, I. Majzik, and M. Massink. Automatic
Verification of a Behavioural Subset of UML Statechart
Diagrams Using the SPIN Model-checker. Formal
Aspects of Computing, 11(6):637 – 664, 1999.
 (IJCNS) International Journal of Computer and Network Security, 7
[24] D. Latella, I. Majzik, and M. Massink. Towards a
Formal Operational Semantics of UML Statechart
Diagrams. In Proceedings of the 3rd IFIP International
Conference on Formal Methods for Open Object-based
Distributed Systems, pages 331–347, February 1999.
[25] S. W. Lewandowski and X. He. Generating Code for
Hierarchical Predicate Transition Net Based Designs. In
Proceedings of the 12th International Conference on
Software Engineering & Knowledge Engineering, pages
15–22, Chicago, U.S.A., July 2000.
[26] J. Lilius and I. P. Paltor. The Semantics of UML State
Machines. Technical Report 273, Turku Centre for
Computer Science, 1999.
[27] N. Medvidovic, D. S. Rosenblum, and D. F. Redmiles.
Modeling Software Architectures in the Unified
Modeling Language. ACM Transactions on Software
Engineering and Methodology, 11(1):2–57, January
2002.
[28] H. Motameni. Mapping to Convert Activity Diagram in
Fuzzy UML to Fuzzy Petri Net. World Applied Sciences
Journal, 3(3): 514 – 521, 2008. ISBN: 1818-4952.
[29] T. Murata. Petri Nets: Properties, Analysis and
Applications. Proceedings of the IEEE, 77(4):541–580,
1989.
[30] J. S. e. a. Paul Clements, Len Bass. Documenting
Software Architectures: Views and Beyond. Addison-
Wesley, January 2003.
[31] S. Ramakrishnan and J. McGregor. Extending OCL to
Support Temporal Operators. In 21st International
Conference on Software Engineering (ICSE 99),
Workshop on Testing Distributed Component-Based
Systems, May 1999.
[32] J. E. Robbins, N. Medvidovic, D. F. Redmiles, and D.
S. Rosenblum. Integrating architecture description
languages with a standard design method. In ICSE ’98:
Proceedings of the 20th international conference on
Software engineering, pages 209–218, Washington,
DC, USA, 1998. IEEE Computer Society.
[33] G. Rosu and K. Havelund. Rewriting-Based Techniques
for Runtime Verification. Journal of Automated
Software Engineering, 2004.
[34] J. Saldhana and S. M. Shatz. UML Diagrams to Object
Petri Net Models: An Approach for Modeling and
Analysis. In Proceedings of the International
Conference on Software Engineering and Knowledge
Engineering, pages 103–110, 2000.
[35] T. Sch¨afer, A. Knapp, and S. Merz. Model Checking
UML State Machines and Collaborations. Electronic
Notes in Theoretical Computer Science, 55(3):1–13,
2001.
[36] M. Shaw and D. Garlan. Software Architecture:
Perspectives on an Emerging Discipline. Prentice Hall,
1996.
[37] P. Ziemann and M. Gogolla. An Extension of OCL with
Temporal Logic. In Critical Systems Development with
UML – Proceedings of the UML’02 workshop, pages
53–62, TUM, Institut fur Informatik, TUM-I0208,
September 2002.
Vol. 2, No. 5, May 2010
[38] Jiexin Lian, Zhaoxia Hu, Sol M. Shatz. Simulation-
based analysis of UML statechart diagrams: methods
and case studies. Software Quality Journal. 16(1),
March, 2008. ISBN: 0963-9314. Springer Netherlands.
[39] Rafael M. Borges and Alexandre C. Mota. Integrating
UML and Formal Methods. Electronic Notes in
Theoretical Computer Science (ENTCS). Volume 184.
Page 97-112. July 2007. Elsevier Science Publishers.
Authors Profile
Yujian Fu received the B.S. and M.S. degrees in Electrical
Engineering from Tianjin Normal University and Nankai
University in 1992 and 1997, respectively. In 2007, she received
her Ph.D. degree in computer science from Florida International
University. She joined the faculty of Department of Computer
Science at the Alabama A&M University in the same year. Dr.
Yujian Fu conducts research in the software verification, software
quality assurance, runtime verification, and formal methods. Dr.
Yujian Fu also actively serves as reviewers of several top journals
and prestigious conferences. She continuously committed as a
member of IEEE, ACM and ASEE.
Zhijiang Dong received the B.S. and M.S. degrees in Huazhong
Tech University, Ph.D. degree in computer science from Florida
International University. He currently is assistant professor at
Middle Tennessee University. Dr. Dong’s research is mainly in the
software engineering. Dr. Dong also actively serves as reviewers of
several top journals and conferences. He continuously committed
as a member of IEEE, ACM.
Xudong He is a professor of school of computing and
information science and director of center for advanced and
distributed system engineering at Florida International University.
Dr. He’s research are software engineering, formal verification and
specification. Dr. He currently has over one hundred publications
in prestigious journals and conferences.
Sha Li is an associate professor at department of curriculum,
teaching and educational leadership, school of education of
Alabama A&M University. Dr. Sha Li received his doctorial
degree of educational technology from Oklahoma State University,
2001. Sha Li' research interests include distance education,
instructional technology, instructional design and multimedia for
learning.
Phil Bording is an associate professor and chair of department of
computer science at Alabama A&M University. Dr. Phil Bording
received his Ph.D. degree in computer science from University of
Tulsa in 1995 and M.S. degree from University of Alabama at
Huntsville in 1984. Dr. Bording’s research area is parallel
computing.