ERCIM NEWS 99 October 2014 31 When analyzing the correctness of designs in complex software systems during their early stages of development, it is essential to apply formal methods and tools. The broader system is described using a formal specification language and its relative correctness (with respect to rel- evant behavioural properties) is checked by formally evaluating temporal logic for- mulas over the underlying computational model. Over the last two decades, we have developed the KandISTI family of model checkers, each one based on a dif- ferent specification language, but all sharing a common (on-the-fly) temporal logic and verification engine. The main objective of the KandISTI framework is to provide formal support to the software design process, espe- cially in the early stages of the incre- mental design phase (i.e., when designs are still likely to be incomplete and likely to contain mistakes). The main features of KandISTI focus on the possi- bilities of (i) manually exploring the evolution of a system and generating a summary of its behaviours; (ii) investi- gating abstract system properties using a temporal logic supported by an on-the- fly model checker; and (iii) obtaining a clear explanation of the model-checking results, in terms of possible evolutions of the specific computational model. The first tool in the family was the FMC model checker which described a system by a hierarchical composition of sequential automata. This tool proved to be a very useful aid when teaching the fundamentals of automated verification techniques in the context of software engineering courses. As an attempt to reduce the gap between theoreticians and software engineers, the original model-checking approach was experi- mented over a computational model based on UML statecharts. In the con- text of the FP5 and FP6 EU projects AGILE and SENSORIA, this has led to the development of UMC, in which a system is specified as a set of communi- cating UML-like state machines. In cooperation with Telecom Italia, UMC was used to model and verify an asynchronous version of the SOAP communication protocol and model and analyse an automotive scenario pro- vided by an industrial partner of the SENSORIA project. Currently UMC is being used successfully in the experi- mentation of a model-checking-based design methodology in the context of the regional project TRACE-IT (Train Control Enhancement via Information Technology). This project aims to develop an automatic train supervision system that guarantees a deadlock-free status for train dispatches, even when there are arbitrary delays with respect to the original timetable. The largest model we analysed in this context had a statespace of 35 million states. Again in the context of SENSORIA, we developed the CMC model checker for the service-oriented process algebra COWS. Service-oriented systems require a logic that expresses the corre- lation between dynamically generated values appearing inside actions at dif- ferent times. These values represent the correlation values which allow, e.g., to relate the responses of a service to their specific requests or to handle the con- cept of a session involving a long sequence of interactions among inter- acting partners. CMC was used to model and analyse service-oriented sce- narios from the automotive and finance domains, as provided by industrial part- ners in the project. The most recent member of the KandISTI family is VMC, which was developed specifically for the specifi- cation and verification of software product families. VMC performs two kinds of behavioural variability analyses on a given family of products. The first is a logic property expressed in a variability-aware version of a known logic. This can directly be veri- fied against the high-level specifica- tion of the product family behaviour, relying on the fact that under certain syntactic conditions the validity of the property over the family model guar- antees the validity of the same property for all product models of the family. The second is that the actual set of KandISTI: A Family of Model Checkers for the Analysis of Software designs by Maurice ter Beek, Stefania Gnesi and Franco Mazzanti Driven by a series of European projects, researchers from the Formal Methods and Tools lab of ISTI- CNR have developed a family of model-checking tools for the computer-aided verification of the correctness of software designs. To date, these tools have been applied to a range of case studies in the railway, automotive and telecommunication fields. Figure 1: The railway yard layout and missions for trains on the green, red, yellow and blue lines.