UML Modeling Diagrams, Promela and Spin to check and validate M-Government based on

a Satellite International Mobile Telecommunications Advanced System

Naseer Abdulkarim Jaber Al-Habeeb1, Nicolae Goga2,3, Iuliana Marin2, Ramona Popa2, Andrei
Vasilăţeanu2
Affiliation 1: Doctoral School of Automatic Control and Computers, University Politehnica of Bucharest, Bucharest,
Romania, naseeralhabeeb@gmail.com
Affiliation 2: Faculty of Engineering in Foreign Languages, Computer Science
University Politehnica of Bucharest, Bucharest, Romania, n.goga@rug.nl
Affiliation 3: Molecular Dynamics Group, University of Groningen, Groningen, Netherlands

Abstract: A noteworthy challenge in software
development process is to detect errors early in the
software life cycle. Due to this reason, the verification
and validation of UML diagrams outline an essential
part in recognizing the flaws during the design phase. It
has an unmistakable significance for software security,
where it is mandatory to identify security flaws before
they can be misused. This paper introduces a formal
verification and validation method for three of the most
known UML diagrams (use case, sequence and state
diagrams) to verify the simulation system of M-
Government based on a satellite International Mobile
Telecommunications (IMT) advanced system. The
proposed approach creates a PROMELA-based model
from UML interactions expressed in sequence and state
diagrams, and uses SPIN model checker to simulate the
execution and to verify the properties. The main
contribution of this work is to provide an efficient
mechanism to be able to track the execution state of an
interaction, which allows designers to write relevant
properties regarding send/receive events and the
source/destination of messages.
Keywords: UML, verification and validation, Promela,
Spin, M-Government, Satellite IMT-Advanced.
I. Introduction
Software is available in many systems, such as energy,
automotive, health services, maritime, aviation, and
banking. Software environments are progressively
concerned on security and business components and have
an increasing complexity. One critical part of software is to
guarantee the reliability, security, and robustness [1].
Each software has to follow the next steps:
1) Analysis and Requirement stage
2) Architectural design stage
3) Implementation stage
4) Verification stage
5) Operation and maintenance
This is accomplished by a few methods of verification,
being from early analysis of system particularities and
designs to deliberate testing of the executable software.
The verification is troublesome and it consumes a lot of
time. Most software systems have a high complexity due to
the change of the requirements from numerous
stakeholders.
One of the main problems in software development is
to guarantee that the conveyed product respects its
specification. For this reason, the verification and
validation are well settled methods for assuring the quality
of a product inside the general software development
lifecycle. The models are represented in the Unified
Modeling Language (UML) and this has significance for
security, where it is necessary to recognize flaws before
they can be detected. Verification is the way towards
determining a model is accurate to the developer’s
conceptual description and specifications. While validation
is characterized as the way towards deciding how much a
model or simulation is an exact portrayal of the reality
from the point of view of the proposed employments of the
model or simulation [2].
Software systems are used by the society and industry
and their complexity develops exponentially over time.
Accordingly, verification and validation technology that
exists today in numerous industry branches has no match
for the size and complexity of software systems. Due to
this it is difficult to assure trustworthiness of software
systems in a financial way. For instance, safe systems in
different industries such as aviation, automotive, maritime,
and energy depend on software and require to be certified
based on their security. In spite of worldwide standards and
practical rules, there is no financially safe, well settled way
to ensure software security at a reasonable level exists.
Verification and validation research creates
algorithms, procedures, and tools to enhance the
development and automate the ways to find errors and to
correct them in software systems [3].
The fundamental difficulties in regards to software
verification and validation are about detecting solutions
that reach to the expanding complexity of software
systems. Verification of resources and validation of

1
software systems are constrained by expertise and time.
The difficulties are related to the well done automation of
verification techniques and to the evaluation of the cost
versus the effectiveness. Most of the work on verification
and validation performed through the simulation considers
a model-driven approach that depends on models of the
behavior and properties of the designed software system.
II. Unified Modeling Language (UML)
The Unified Modeling Language (UML) is a standard
language for creating software schemas. UML can be
utilized to view, indicate, build, and document the artifacts
of a software system [4]. In the same way building
software architects make UML diagrams to enable
software developers create the software. By understanding
the vocabulary of UML, namely the elements of the
diagrams and their significance, it is easier to understand
and specify a system and clarify the design of that system.
The UML has developed as a standard diagramming
notation for object-oriented modeling [4, 5].
An UML model comprises three major categories of
model components, every one of them being used to make
statements about various types of individual things inside
the system that is modeled. These categories are:
 Classifiers: A classifiers portrays a set of objects. An
object is an individual with a state and connections to
other objects having it own properties.
 Events: An event depicts a set of conceivable
occurrences. An occurrence is something that happens
and has some result with respect to the system.
 Behaviors: A behavior consists of a set of possible
executions. An execution is a performance of a set of
actions that might create and react to the occurrence of
events, including getting and setting the state of objects
[6].
Figure 1 and Table 1 illustrate the major categories of
model elements [7].

Table 1 Major categories of model elements

UML
UML Behavior UML Structural
Architectural
Modeling Modeling
Modeling
Use Cases Classes Component

Use Case Component

Class Diagrams
Diagrams Diagrams
Interaction Distribution
Object Diagrams
Diagrams Diagrams
Interfaces
State Diagrams
Diagrams
Activity
Packages Diagrams
Diagrams
Figure 1: Major categories of model elements

There are various types of UML behavior modeling
diagrams. This research is concerned with use case
diagram, sequence diagram and state diagram) [4].
 Use Case Diagram: helps you decide the usefulness and
features of the software from the user’s point of view. It
is used to offer an inclination for how to utilize cases and
it outlines work.
 Sequence Diagram: is a quick and effectively made
artifact that delineates input and output events regarding
the system.
 State Diagram: is a graphical portrayal of states and
changes as a directed graph behavior of a single object
succession of states.
III. PROMELA and SPIN
Promela (Process or Protocol Meta Language) is a
verification modeling language created by Gerard J.
Holzmann. The language takes into consideration the
dynamic production of simultaneous processes to model,
such as distributed systems. In Promela models, the
communication via message channels can be synchronous
or asynchronous like in case of buffering.
Spin is a well known open source software verification
tool, utilized by a large number of people from around the
world. The tool can be used for the formal check of multi-
threaded software applications [2]. Promela is a process

2
modeling language having the intention to verify the
rationale of parallel systems. For a program written in
Promela, Spin can check the model's correctness by
executing random or iterative simulations of the
demonstrated system's execution, or it can produce a
C program that performs a quick thorough verification of
the system state space. Amid simulations and verifications,
Spin checks for the lack of deadlocks, unspecified
receptions, and code that cannot be executed. The verifier
can be likewise used to demonstrate the correctness of the
system's invariants and it can discover non-progress
execution cycles. It also supports the verification of linear
time temporal constraints with Promela or by
straightforwardly setting the constraints in temporal logic.
Each model can be checked with Spin under various sorts
of presumptions regarding the environment. When the
accuracy of a model has been built up with Spin, that fact
can be involved in the development and verification of all
resulting models [8].
Promela programs comprise processes, message
channels, and variables. Processes are global objects that
illustrate the concurrent entities of the distributed system.
Message channels and variables can be declared either
globally or locally within a process. Processes determine
behavior, channels and global variables characterize the
environment in which the processes run [9].
IV. M-GOVERNMENT
M-Government alludes to gathering services for the
strategic use of government services and applications
which are just conceivable by using cellular/mobile
telephones, laptop computers and wireless internet
infrastructure [10].
This research proposes the use of the Satellite IMT-
Advanced systems to enhance M-Government. The
Satellite IMT-Advanced systems can give reliable and
omnipresent communication benefits anyplace in a
worldwide premise, and their applications may incorporate
different services, like commercial services for worldwide
mobile personal communications and public services for
national security and emergency/disaster relief. Satellite
IMT systems will advance the quick organization and
conveyance of such M-Government services to rural and
geographically confined areas. International mobile
telecommunications-Advanced (IMT-Advanced) systems
are future mobile broadband service systems that
incorporate the new capabilities of IMT beyond those of
IMT-2000. IMT-Advanced systems give low-to-high
mobility applications and a extensive variety of
3
telecommunication services, as well as advanced mobile
services, as per client and administration demands [11].
The satellite segment in the IMT-Advanced systems
will be an essential piece of the future IMT infrastructure
with enhanced service conveyance. The satellite IMT
systems can offer reliable and pervasive communication
services anyplace in a worldwide basis, and their
applications may incorporate different services, such as
business administration for worldwide mobile personal
communications and open services for national security
and emergency/disaster alleviation. Such services, despite
the fact that are essential for the extensive public, are an
indispensable piece of some specialty markets in which the
satellite system has traditionally offered services including
maritime, air transportation, exploration, and open security
[12].
V. M-Government based on Satellite IMT-Advanced
systems. Architectural Description
The two way communication scenarios are viewed as a
scope augmentation and service progression of the
terrestrial part. In this basis, GSM standard call sequence
and handover strategy with terrestrial part would be above
all considered. For the cost-effective handover, future
satellite radio interfaces ought to be compatible and have a
high level of basic functionality with a conceived LTE
based earthbound radio system.
Figure 2 depicts an general system architecture using
the Satellite IMT-Advanced. The following factors are
considered.
 Satellite: offer services and applications like those of
earthbound systems outside terrestrial and
Complementary Ground Component (CGC) coverage
under its constraints forced by power limitation and long
round trip delay.
 CGC: provide mobile satellite broadcasting/multicasting
services that can be sent in areas where satellite
reception is troublesome, particularly in urban areas.
They might be gathered with terrestrial cell sites or
independent.
 IMT-Advanced terrestrial component: the satellite
component can give voice and data communication
service in regions outside terrestrial coverage. The areas
not satisfactorily secured by terrestrial component
include physically isolated regions, gap of terrestrial
component and regions where the terrestrial component
is all time, or briefly, inoperative due to circumstances
[12, 13].
 a b
Figure 2: Overall system architecture using the Satellite IMT-Advanced (a) scenario 1 (b) scenario 2

VI. UML modeling diagrams, PROMELA and SPIN to be used to prove the correctness of system invariants
Verification and Validation for M-Government and it can find non-progress execution cycles.
powered by Satellite IMT-Advanced system Figure 3 illustrates the use case diagram for the
The chances offered by mobile technology keep on simulation system and Figure 4 illustrates the sequence
expanding with the advances in wireless broadband. There diagrams for the simulation system, while Figure 5
are now many well settled business solutions, improved for illustrates the state diagram for the FES part of the
the mobile devices which also have direct application to simulation system.
government services, workplace practices and the
engagement of stakeholders.
This research uses UML modeling diagrams, Promela
and Spin to verify and validate the integration of GSM and
the Satellite Communication Simulation system.
a. The 1st step is using the use case diagram for the
simulation system for two scenarios (mobile terrestrial
system, CGC system).
b. The 2nd step is using the sequence diagram for the
simulation system for two scenarios (mobile terrestrial
system, CGC system).
c. The 3rd step is using the state diagram for the
simulation system for two scenarios (mobile terrestrial
system, CGC system).
d. The 4th step is using a verification modeling language
(PROMELA) and a verification tool (SPIN) to check
for the absence of deadlocks, unspecified receptions,
and code that cannot be executed. The verifier can also

Figure 3: The use case diagram for simulation system

4
 a b
Figure 4: The sequence diagrams for the simulation system(s) scenario 1 (b) scenario 2

1.

Figure 5 : The State diagram for the simulation system (FES part)

5
 PROMELA program for FES (Satellite Fixed Earth In this part of the PROMELA program for FES
System) part of the simulation system
(Satellite Fixed Earth System) part of the simulation system,
proctype FES() { the program executes the procedure FES:
byte countFA1 = 1;
1st step Send protocol (CHANNEL_REQ) to procedure
byte countFB1 = 1;
byte countFA2 = 1; (FES_c) through channel (FESFES_c).
byte countFB2 = 1; 2nd step Receive protocol (CHANNEL_ALLOCATION)
byte countFA3 = 1; from procedure (FES_c) through channel (FESFES_c).
byte countFA4 = 1;
byte countFA5 = 1;
3rd step Send protocol (MSISDN) to procedure (HLR(B))
byte countFA6 = 1; through channel (FESHLR_B).
byte countFA7 = 1; 4th step Receive protocol (MSRN) from procedure
FES1: (HLR(B)) through channel (FESHLR_B).
do
::(countFA1 == 1) -> countFA1 = 0; atomic { 5th step Send protocol (INITIAL_ADDRESS_MESSAGE)
printf("\n FES FES1 \n"); to procedure (MSC(B)) through channel (FESMSC_B)
MSCFES_A??INITIAL_ADDRESS_MESSAGE;
FES7: atomic {
} printf("\n FES FES7 \n");
::(countFA1 == 0) -> countFA1 = 2; atomic { FESMSC_B??ACM;
printf("\n FES FES1 \n"); goto FES8;
GMSCFES_A??RETURN_CGC_COLLECTOR; }
} FES8:
::(countFA1 == 2) -> break; do
od; ::(countFA2 == 1) -> countFA2 = 0; atomic {
printf("\n FES FES8 \n");
MSCFES_A!ACM;
In this part of the PROMELA program for FES }
(Satellite Fixed Earth System) part of the simulation system, ::(countFA2 == 0) -> countFA2 = 2; atomic {
the program executes the procedure FES: printf("\n FES FES8 \n");
GMSCFES_A!FORWORD_CGC_ACM;
1st step Receive protocol (INITIAL_ADDRESS_ }
MESSAGE) from procedure (MSC(A)) through channel ::(countFA2 == 2) -> break;
(MSCFES_A) for scenario 1. od;
2nd step Receive protocol (RETURN_CGC_ COLLECTOR) In this part of the PROMELA program for FES
from procedure (GMSC) through channel (GMSCFES_A) (Satellite Fixed Earth System) part of the simulation system,
for scenario 2. the program executes the procedure FES:
FES2: atomic { 1st step Receive protocol (ACM) from procedure (MSC(B))
printf("\n FES FES2 \n"); through channel (FESMSC_B).
FESFES_c!CHANNEL_REQ;
2nd step Send protocol (ACM) to procedure (MSC(A))
goto FES3;
} through channel (MSCFES_A) for scenario 1.
FES3: atomic { 3rd step send protocol (FORWORD_CGC_ACM) from
printf("\n FES FES3 \n"); procedure (GMSC) through channel (GMSCFES_A) for
FESFES_c??CHANNEL_ALLOCATION;
goto FES4; scenario 2.
} FES9: atomic {
FES4: atomic { printf("\n FES FES9 \n");
printf("\n FES FES4 \n"); FESMSC_B??ANS;
FESHLR_B!MSISDN; goto FES10;
goto FES5; }
} FES10:
FES5: atomic { do
printf("\n FES FES5 \n"); ::(countFA3 == 1) -> countFA3 = 0; atomic {
FESHLR_B??MSRN; printf("\n FES FES10 \n");
MSCFES_A!ANS;
goto FES6;
}
}
::(countFA3 == 0) -> countFA3 = 2; atomic {
FES6: atomic { printf("\n FES FES8 \n");
printf("\n FES FES6 \n"); GMSCFES_A!FORWORD_CGC_ANS;
FESMSC_B!INITIAL_ADDRESS_MESSAGE; }
goto FES7; ::(countFA3 == 2) -> break;
} od;
6
 In this part of the PROMELA program for the FES FES13:
(Satellite Fixed Earth System) part of simulation system, the do
program executes the procedure FES: ::(countFB1 == 1) -> countFB1 = 0; atomic {
printf("\n FES(A) FES14 \n");
1st step Receive protocol (ANS) from procedure (MSC(B)) MSFES_B??CONNECTHELLOM;
through channel (FESMSC_B). }
2nd step Send protocol (ANS) to procedure (MSC(A)) ::(countFB1 == 0) -> countFB1 = 2; atomic {
through channel (MSCFES_A) for scenario 1. printf("\n FES(A) FES14 \n");
FESMS_A!CONNECTHELLOM;
3rd step send protocol (FORWORD_CGC_ANS) from }
procedure (GMSC) through channel (GMSCFES_A) for ::(countFB1 == 2) -> break;
scenario 2. od;
FES14:
do
FES11: ::(countFA6 == 1) -> countFA6 = 0; atomic {
do printf("\n MS(A) MS15 \n");
::(countFA4 == 1) -> countFA4 = 0; atomic { FESMS_A??CONNECTHELLOM;
printf("\n FES FES11 \n"); }
::(countFA6 == 0) -> countFA6 = 2; atomic {
MSCFES_A??BILLING_START; printf("\n MS(A) MS15 \n");
} MSFES_B!CONNECTHELLOM;
::(countFA4 == 0) -> countFA4 = 2; atomic { }
::(countFA6 == 2) -> break;
printf("\n FES FES8 \n"); od;
FESMSC_B!BILLING_START;
} In this part of the PROMELA program for the FES
::(countFA4 == 2) -> break; (Satellite Fixed Earth System) part of simulation system, the
od; program executes the procedure FES:
FES12:
1st step Receive protocol (CONNECTHELLOM) from
do
procedure (MS(B)) through channel (MSFES_B) for
::(countFA5 == 1) -> countFA5 = 0; atomic {
printf("\n FES FES12 \n"); scenario1.
GMSCFES_A??RETURN_CGC_BILLING_START; 2nd step Send protocol (CONNECTHELLOM) to procedure
} (MS(A)) through channel (FESMS_A) for scenario 1.
::(countFA5 == 0) -> countFA5 = 2; atomic { 3rd step Receive protocol (CONNECTHELLOM) from
printf("\n FES FES12 \n"); procedure (MS(A)) through channel (FESMS_A) for
FESMSC_B!BILLING_START; scenario 1.
} 4th step Send protocol (CONNECTHELLOM) to procedure
::(countFA5 == 2) -> break;
(MS(B)) through channel (MSFES_B) for scenario 1.
od;
FES15:
do
In this part of the PROMELA program for the FES ::(countFB2 == 1) -> countFB2 = 0; atomic {
(Satellite Fixed Earth System) part of simulation system, the printf("\n FES(A) FES15 \n");
MSFES_B??CONNECTHELLOM1;
program executes the procedure FES: }
1st step Receive protocol (BILLING_START) from ::(countFB2 == 0) -> countFB2 = 2; atomic {
printf("\n FES(A) FES15 \n");
procedure (MSC(A)) through channel (MSCFES_A) for FESMSS_A!FORWORD_CGC_HELLO;
scenario 1. }
::(countFB2 == 2) -> break;
2nd step Send protocol (BILLING_START) to procedure od;
(MSC(B)) through channel (MSCFES_B) for scenario 1. FES16:
do
3rd step Receive protocol (RETURN_CGC_ ::(countFA7 == 1) -> countFA7 = 0; atomic {
BILLING_START) from procedure (GMSC) through printf("\n MS(A) MS12 \n");
channel (GMSCFES_A) for scenario 2. FESMSS_A??RETURN_CGC_HELLO;
}
4th step Send protocol (BILLING_START) to procedure ::(countFA7 == 0) -> countFA7 = 2; atomic {
(MSC(B)) through channel (MSCFES_B) for scenario 2. printf("\n MS(A) MS12 \n");
MSFES_B!CONNECTHELLOM1;
}
::(countFA7 == 2) -> break;
od;

7
 In this part of the PROMELA program for the FES 3rd step Receive protocol (RETURN_CGC_HELLO) from
(Satellite Fixed Earth System) part of the simulation procedure (MS(A)) through channel (FESMS_A) for
system, the program executes the procedure FES: scenario 2.
1st step Receive protocol (CONNECTHELLOM1) 4th step Send protocol (CONNECTHELLOM1) to procedure
from procedure (MS(B)) through channel (MSFES_B) (MS(B)) through channel (MSFES_B) for scenario 2.
for scenario 2.
2nd step Send protocol (FORWORD_CGC_
HELLO) to procedure (MS(A)) through channel
(FESMS_A) for scenario 2.

Figure 6: The verification and validation result using PROMELA and SPIN

8
 VII. Conclusion and Future Work [8] A. Sharma, “End to End Verification and Validation
It is introduced in this paper a proficient method for with SPIN”, CoRR, 2013.
formal verification and validation of UML using use case, [9] V. R. Koskinen, J. Plosila, “Applications for the SPIN
sequence and state diagrams. Since they consider the most Model Checker – A Survey”, Turku Centre for
Computer Science, 2006.
prevalent UML combined fragments, this approach enables
[10] I. Kushchu, "From E-government to M-government:
the developer to find out flaws in the most complex Facing the Inevitable", European Conference on E-
sequence diagrams. The mechanism introduced in this work Government, 2003, pp. 253-260.
to monitor the execution of states provides information to [11] S. Kesavarapu, M. Choi, "M-Government - A
the developer who needs to write the PROMELA program. Framework to Investigate killer applications for
This technique, along with other verification and validation developing countries: An Indian case study", Electronic
tools, can provide a valuable framework to detect errors at Government, vol. 9(2), 2012, pp. 200.
[12] R. E. Sheriff, Y. Fun Hu, “Mobile Satellite
the design phase, resulting in a software much more reliable
Communication Networks”, Wiley, 2001.
at the end of the software development process. [13] Telecommunications Technology Association (TTA),
It is specified what is needed to simulate the execution “Mobile Communication Technical Committee; SAT-
of the sequence diagrams by covering the most important OFDM; General Description”, 2013.
combined fragments. However, the main objective of using
the PROMELA-based model is not to simulate the
execution of sequence diagrams, but to check the formal
properties.
When it comes to verify the formal properties on SPIN,
it is impossible to determine if a send or receive event has
occurred. Indeed, the system state does not change when
messages are sent over channels. To overcome this obstacle,
it is proposed a flag-based technique to mark an occurrence
of a send/receive event.
As opportunities for the future work, the security of
Government services aspects is not usually encapsulated in
only one type of diagram. Normally they are scattered in
various diagrams of different kinds. An inter-diagram
analysis might provide results that are much more consistent
in the assessment of UML models.
References
[1] A. Tveito et al., “Software Verification— A Scalable,
Model-Driven”, Springer-Verlag Berlin Heidelberg,
2010, pp. 415-438.
[2] V. Lima, “Formal Verification and Validation of UML
Sequence Diagrams using Source and Destination of
Messages”, Elsevier, 2009.
[3] G. Engels, J. Kuster, M. Lohmann, “Model-Based
Verification and Validation of Properties”, Electr.
Notes Theor. Comput. Sci., 82(7), 2003.
[4] R. S. Pressman, “Software Engineering: A Practitioner’s
Approach”, McGraw-Hill, 2010.
[5] M. Gogolla, “USE: A UML-based specification
environment for validating UML and OCL”, Elsevier,
2007.
[6] C. Larman, “Applying UML and Patterns: An
Introduction to Object-Oriented Analysis and Design
and Iterative Development”, Prentice Hall, 2004.
[7] N. Goga, “UML – Formal verification activities”,
Lecture, Software Engineering – Introduction, 2017.