Proving Properties of Stateflow Models using ISO Standard Z and CADiZ Ian Toyn and Andy Galloway Department of Computer Science, University of York, Heslington, York, YO10 5DD, UK. {ian,andyg}@cs.york.ac.uk Abstract. This paper focuses on the use of ISO Standard Z and CADiZ in the formal validation of Stateflow models against requirements-oriented assumptions. It documents some of what the Simulink/Stateflow Anal- yser tool does in support of the Practical Formal Specification method. The tool aims to automate the formal validations of the method, so that users of Simulink/Stateflow can benefit from them. The Z exploits some notations that are particular to ISO Standard Z. The automation is aided by quite terse tactics interpreted by CADiZ. 1 Introduction This paper focuses on the use of ISO Standard Z and CADiZ in the formal val- idation of Stateflow models against requirements-oriented assumptions. CADiZ [1, 2] is a typechecker and theorem prover for ISO Standard Z [3] specifications. Stateflow [4] is an editor and animator of statechart models [5], which works in the context of Simulink in the Matlab development environment. The formal validation is performed with the aim of answering the question “Is this the intended model?”, not the more usual “Has this model been cor- rectly implemented?”. An example of the latter is provided by the ClawZ tool for Simulink models [6]. These formal validations are similar in that they both have abstract and concrete specifications, with healthiness conditions generated to ensure that the concrete is consistent with the abstract. They differ in that the Simulink model is the abstract specification for ClawZ, whereas the State- flow model is the concrete specification for the analysis presented in this paper. Ensuring that a model is as intended before implementing it may reduce the overall cost of software development. The validation is done by the Simulink/Stateflow Analyser (SSA) tool [7], based on the healthiness conditions specified by Galloway’s Practical Formal Specification (PFS) method [8–10]. PFS combines statecharts with assumptions. Its statecharts are a subset of Stateflow statecharts; its assumptions make explicit the requirements on each state. The SSA tool ensures that the Stateflow model is in the PFS subset, translates relevant aspects of the model and assumptions to Z, generates healthiness conditions as Z conjectures, and attempts to prove those healthiness conditions automatically. This automation is important in making