VSE - Verification Support Environment Andreas Nonnengart and Georg Rock and Werner Stephan German Research Center for Artificial Intelligence Stuhlsatzenhausweg 3, 66123 Saarbr¨ ucken, Germany {nonnenga,rock,stephan}@dfki.de Abstract. The Verification Support Environment (VSE) is a CASE-tool that supports the user in the formal development of software. It has a rather broad range of applicability as was already shown in several industrial applications, be it in the safety or in the IT-security domain. We claim that VSE is equally applicable in the domain of plan verification. 1 Introduction The Verification Support Environment (VSE) supports large parts of the software-engineering process in a systematic way and is general enough to cover several aspects of formal modelling in a common setting. It consists of a basic system for editing and type checking specifications and implemen- tations, a facility to display the development structure, a the- orem prover that releases the proof obligations arising from development steps (e. g. refinements), a central database to store all aspects of the development including proofs, and an automatic management of dependencies between devel- opment steps. VSE was developed in two phases for the German Information Security Agency (GISA) by consortia from industry and academia. VSE-II (Hutter et al. 1999; Rock et al. 1999) the follow-up system of VSE-I (Hutter et al. 1996) was developed under the lead management of the German Research Centre for Artificial Intelligence (DFKI). 2 Formalisms in VSE Formal development in VSE is based on two formalisms: abstract data types are used to specify data structures and functional computations while a version of temporal logic (based on Leslie Lamport’s Temporal Logic of Actions (Lamport 2003)) is used to specify the dynamic behaviour of systems with a persistent state. Although there is a fully de- veloped methodology in its own right for abstract data types typically data types are used to provide values for state de- pendent (flexible) variables in state based systems. Func- tional computations are then used to model single (uninter- ruptable) steps of state based systems. 3 Plan Verification In general, to solve a planning problem means to find a se- quence of actions taken from a fixed given set of possible actions - each transforming states (situations) into new states (situations) - such that applying this sequence of actions to a given initial state results in a desired final state. Slightly more formally this means that a planning prob- lem essentially consists of a pair of states - the initial and the final state (σ 0 ,σ n ) - together with a set of possible actions A with A i :Σ → Σ for each A i ∈A. The ultimate goal is to find a sequence of actions 〈A 1 ,...,A n 〉 that transforms the initial state to the final state, i.e. A i (σ i )= σ i+1 for all 0 ≤ i<n. Plan verification on the other hand addresses the problem of verifying that a given sequence of actions together with a given pair of (initial, final) states really transforms the initial state to the final state. Thus plan verification is not at all concerned with the problem of finding such a sequence; its aim is to prove that this very sequence - regardless of how it was determined - solves the problem. Obviously, a formal plan generation approach that guar- antees the plan correctness would not need such a subse- quent plan verification. To verify the correctness of a plan thus comes into play whenever the plan generation did not yet guarantee the plan correctness, be it because the plan happened to be somewhat handcrafted or because an auto- mated plan generation failed for some reason and therefore some gaps remained open that had to be filled by suitable heuristics or human action. VSE is a tool that supports plan verification, and that man- ifold. On the one hand VSE’s temporal logic (of actions) fits nicely to state transformation systems. On the other hand its internal treatment of abstract data types allows for even highly sophisticated state descriptions and state transforma- tion descriptions (e.g. freely generated and thus inductively defined data structures). But even (dense) real-time consid- erations can easily be incorporated into VSE’s model of ac- tions and state transformations, and that although dense real- time is not directly incorporated into the general idea of TLA (Nonnengart et al. 2001).