2025Activity report​​​‌Project-TeamCONVECS

5.1.1 CADP

• Name:
  Construction‌ and Analysis of Distributed‌​‌ Processes
• Keywords:
  Formal methods,​​ Verification
• Functional Description:

  CADP​​​‌ (Construction and Analysis‌ of Distributed Processes –‌​‌ formerly known as CAESAR/ALDEBARAN​​ Development Package) 5​​​‌ is a toolbox for‌ protocols and distributed systems‌​‌ engineering.

  In this toolbox,​​ we develop and maintain​​​‌ the following tools:

  • CAESAR.ADT‌  24 is a compiler‌​‌ that translates LOTOS abstract​​ data types into C​​​‌ types and C functions.‌ The translation involves pattern-matching‌​‌ compiling techniques and automatic​​ recognition of usual types​​​‌ (integers, enumerations, tuples, etc.),‌ which are implemented optimally.‌​‌
  • CAESAR  30, 29​​ is a compiler that​​​‌ translates LOTOS processes into‌ either C code (for‌​‌ rapid prototyping and testing​​ purposes) or finite graphs​​​‌ (for verification purposes). The‌ translation is done using‌​‌ several intermediate steps, among​​ which the construction of​​​‌ a Petri net extended‌ with typed variables, data‌​‌ handling features, and atomic​​​‌ transitions.

  • OPEN/CAESAR  28 is​ a generic software environment​‌ for developing tools that​​ explore graphs on the​​​‌ fly (for instance, simulation,​ verification, and test generation​‌ tools). Such tools can​​ be developed independently of​​​‌ any particular high level​ language. In this respect,​‌ OPEN/CAESAR plays a central​​ role in CADP by​​​‌ connecting language-oriented tools with​ model-oriented tools. OPEN/CAESAR consists​‌ of a set of​​ 16 code libraries with​​​‌ their programming interfaces, such​ as:

    • CAESAR  GRAPH, which​‌ provides the programming interface​​ for graph exploration,
    • CAESAR​​​‌  HASH, which contains several​ hash functions,
    • CAESAR  SOLVE,​‌ which resolves Boolean equation​​ systems on the fly,​​​‌
    • CAESAR  STACK, which implements​ stacks for depth-first search​‌ exploration, and
    • CAESAR  TABLE,​​ which handles tables of​​​‌ states, transitions, labels, etc.​

    A number of on-the-fly​‌ analysis tools have been​​ developed within the OPEN/CAESAR​​​‌ environment, among which:

    • BISIMULATOR,​ which checks bisimulation equivalences​‌ and preorders,
    • CUNCTATOR, which​​ performs steady-state simulation of​​​‌ continuous-time Markov chains,
    • DETERMINATOR,​ which eliminates stochastic nondeterminism​‌ in normal, probabilistic, or​​ stochastic systems,
    • DISTRIBUTOR, which​​​‌ generates the graph of​ reachable states using several​‌ machines,
    • EVALUATOR, which evaluates​​ MCL formulas,
    • EXECUTOR, which​​​‌ performs random execution,
    • EXHIBITOR,​ which searches for execution​‌ sequences matching a given​​ regular expression,
    • GENERATOR, which​​​‌ constructs the graph of​ reachable states,
    • PROJECTOR, which​‌ computes abstractions of communicating​​ systems,
    • REDUCTOR, which constructs​​​‌ and minimizes the graph​ of reachable states modulo​‌ various equivalence relations,
    • SIMULATOR,​​ XSIMULATOR, and OCIS, which​​​‌ enable interactive simulation, and​
    • TERMINATOR, which searches for​‌ deadlock states.
  • BCG (​​Binary Coded Graphs)​​​‌ is both a file​ format for storing very​‌ large graphs on disk​​ (using efficient compression techniques)​​​‌ and a software environment​ for handling this format.​‌ BCG also plays a​​ key role in CADP​​​‌ as many tools rely​ on this format for​‌ their inputs/outputs. The BCG​​ environment consists of various​​​‌ libraries with their programming​ interfaces, and of several​‌ tools, such as:
    • BCG​​  CMP, which compares two​​​‌ graphs,
    • BCG  DRAW, which​ builds a two-dimensional view​‌ of a graph,
    • BCG​​  EDIT, which allows the​​​‌ graph layout produced by​ BCG  DRAW to be​‌ modified interactively,
    • BCG  GRAPH,​​ which generates various forms​​​‌ of practically useful graphs,​
    • BCG  INFO, which displays​‌ various statistical information about​​ a graph,
    • BCG  IO,​​​‌ which performs conversions between​ BCG and many other​‌ graph formats,
    • BCG  LABELS,​​ which hides and/or renames​​​‌ (using regular expressions) the​ transition labels of a​‌ graph,
    • BCG  MIN, which​​ minimizes a graph modulo​​​‌ strong or branching equivalences​ (and can also deal​‌ with probabilistic and stochastic​​ systems),
    • BCG  STEADY, which​​​‌ performs steady-state numerical analysis​ of (extended) continuous-time Markov​‌ chains,
    • BCG  TRANSIENT, which​​ performs transient numerical analysis​​​‌ of (extended) continuous-time Markov​ chains, and

    • XTL (​‌eXecutable Temporal Language),​​ which is a high​​​‌ level, functional language for​ programming exploration algorithms on​‌ BCG graphs. XTL provides​​ primitives to handle states,​​​‌ transitions, labels, successor and​ predecessor functions, etc.

      For​‌ instance, one can define​​ recursive functions on sets​​​‌ of states, which allow​ evaluation and diagnostic generation​‌ fixed point algorithms for​​ usual temporal logics (such​​ as HML  31,​​​‌ CTL 22, ACTL‌ 23, etc.) to‌​‌ be defined in XTL.​​

  • PBG (Partitioned BCG​​​‌ Graph) is a‌ file format implementing the‌​‌ theoretical concept of Partitioned​​ LTS  27 and providing​​​‌ a unified access to‌ a graph partitioned in‌​‌ fragments distributed over a​​ set of remote machines,​​​‌ possibly located in different‌ countries. The PBG format‌​‌ is supported by several​​ tools, such as:
    • PBG​​​‌  CP, PBG  MV, and‌ PBG  RM, which facilitate‌​‌ standard operations (copying, moving,​​ and removing) on PBG​​​‌ files, maintaining consistency during‌ these operations,
    • PBG  MERGE‌​‌ (formerly known as BCG​​  MERGE), which transforms a​​​‌ distributed graph into a‌ monolithic one represented in‌​‌ BCG format,
    • PBG  INFO,​​ which displays various statistical​​​‌ information about a distributed‌ graph.
  • The connection between‌​‌ explicit models (such as​​ BCG graphs) and implicit​​​‌ models (explored on the‌ fly) is ensured by‌​‌ OPEN/CAESAR-compliant compilers, e.g.:
    • BCG​​  OPEN, for models represented​​​‌ as BCG graphs,
    • CAESAR.OPEN,‌ for models expressed as‌​‌ LOTOS descriptions,
    • EXP.OPEN, for​​ models expressed as communicating​​​‌ automata,
    • FSP.OPEN, for models‌ expressed as FSP  34‌​‌ descriptions,
    • LNT.OPEN, for models​​ expressed as LNT descriptions,​​​‌ and
    • SEQ.OPEN, for models‌ represented as sets of‌​‌ execution traces.

  The CADP​​ toolbox also includes TGV​​​‌ (Test Generation based‌ on Verification), which‌​‌ has been developed by​​ the VERIMAG laboratory (Grenoble)​​​‌ and Inria Rennes –‌ Bretagne-Atlantique.

  The CADP tools‌​‌ are well-integrated and can​​ be accessed easily using​​​‌ either the EUCALYPTUS graphical‌ interface or the SVL‌​‌  26 scripting language. Both​​ EUCALYPTUS and SVL provide​​​‌ users with an easy‌ and uniform access to‌​‌ the CADP tools by​​ performing file format conversions​​​‌ automatically whenever needed and‌ by supplying appropriate command-line‌​‌ options as the tools​​ are invoked.

• URL:
  http://­cadp.­inria.­fr/​​​‌
• Contact:
  Hubert Garavel
• Participants:‌
  Hubert Garavel, Frederic Lang,‌​‌ Radu Mateescu, Wendelin Serwe​​

5.1.2 TRAIAN

• Keywords:
  Compilation,​​​‌ LOTOS NT
• Functional Description:‌

  TRAIAN is a compiler‌​‌ for translating LOTOS NT​​ descriptions into C programs,​​​‌ which will be used‌ for simulation, rapid prototyping,‌​‌ verification, and testing.

  The​​ current version of TRAIAN,​​​‌ which handles LOTOS NT‌ types and functions only,‌​‌ has useful applications in​​ compiler construction  25,​​​‌ being used in all‌ recent compilers developed by‌​‌ CONVECS.

• URL:
  http://­convecs.­inria.­fr/­software/­traian/
• Contact:​​
  Hubert Garavel
• Participants:
  Hubert​​​‌ Garavel, Frederic Lang, Wendelin‌ Serwe

6.1.1​​​‌ LNT Specification Language

Participants:‌ Hubert Garavel [correspondent],‌​‌ Frédéric Lang, Wendelin​​ Serwe.

LNT 6​​​‌21 is a next-generation‌ formal description language for‌​‌ asynchronous concurrent systems. The​​ design of LNT at​​​‌ CONVECS is the continuation‌ of the efforts undertaken‌​‌ in the 80s to​​ define sound languages for​​​‌ concurrency theory and, indeed,‌ LNT is derived from‌​‌ the ISO standards LOTOS​​ (1989) and E-LOTOS (2001).​​​‌ In a nutshell, LNT‌ attempts to combine the‌​‌ best features of imperative​​ programming languages, functional languages,​​​‌ and value-passing process calculi.‌

LNT is not a‌​‌ frozen language: its definition​​ started in 2005, as​​​‌ part of an industrial‌ project. Since 2010, LNT‌​‌ has been systematically used​​​‌ by CONVECS for numerous​ case studies (many of​‌ which being industrial applications​​ — see § 6.5​​​‌). LNT is also​ used as a back-end​‌ by other research teams​​ who implement various languages​​​‌ by translation to LNT.​ It is taught in​‌ university courses, e.g., at​​ University Grenoble Alpes and​​​‌ ENSIMAG, where it is​ positively accepted by students​‌ and industry engineers. Based​​ on the feedback acquired​​​‌ by CONVECS, LNT is​ continuously improved.

LOTOS NT​‌ is a language predecessor​​ of LNT, equipped with​​​‌ the TRAIAN compiler, which​ is used for the​‌ construction of most CADP​​ compilers and translators. In​​​‌ 2025, the unification of​ LNT and LOTOS NT​‌ was achieved, with the​​ removal of all references​​​‌ to LOTOS NT in​ tools and documentation. As​‌ a consequence, from January​​ 2025, newer versions of​​​‌ TRAIAN have been distributed​ as part of the​‌ monthly releases of CADP.​​ In parallel, the releases​​​‌ of TRAIAN have continued​ independently of CADP on​‌ a less frequent schedule,​​ with a single consolidated​​​‌ version TRAIAN 3.17 released​ in 2025, which improves​‌ the static semantics checking​​ (enhanced warning and error​​​‌ messages, more precise data-flow​ analysis on array types​‌ and “case” patterns, detection​​ of irrelevant “require” and​​​‌ “ensure” clauses, detection of​ constant loop conditions).

In​‌ 2025, the LNT language​​ was enhanced in several​​​‌ respects:

• A new iterative​ construct “for ... until”​‌ (with breakable and unbreakable​​ forms), useful to scan​​​‌ the domain of enumerated​ and range types, was​‌ introduced in both LNT​​ functions and processes.
• LNT​​​‌ was enriched with virtual​ processes, types, and channels​‌ (all defined using the​​ “!virtual” pragma), which enables​​​‌ one to specify generic​ LNT modules parameterized by​‌ types, functions, processes, and/or​​ channels.
• Two new instructions​​​‌ “+=” and “-=” for​ incrementing and decrementing variables​‌ or array elements (for​​ numeric types and all​​​‌ types equipped with binary​ functions named “+” or​‌ “-”) have been added.​​
• The syntax of LNT​​​‌ was made stricter, so​ as to ban ambiguous​‌ combinations of prefix unary​​ operators and postfix notations,​​​‌ such as type conversions​ (“V of T”), field​‌ selections (“V.X”), field updates​​ (“V.$\{$X ->​​​‌ ...$\}$”), and​ array accesses (“V1 [V2]”).​‌
• The “..” keyword (used​​ in the definition of​​​‌ range and array types)​ was deprecated and replaced​‌ by the “...” keyword​​ (used in lists and​​​‌ sets). The former notation​ “!?X” for “in out”​‌ parameters was deprecated and​​ replaced by a simpler​​​‌ notation “X?”.
• A new​ pragma “!library” was introduced​‌ to suppress the warnings​​ emitted about functions and​​​‌ processes never called and/or​ types and channels never​‌ employed. Pragmas “!implementedby” can​​ now be attached to​​​‌ “with get” and “with​ set” clauses to fix​‌ the names of the​​ corresponding selector and updater​​​‌ functions.

Additionally, the predefined​ libraries of LNT have​‌ been enriched with over​​ 70 new functions to​​​‌ increase user-friendliness (“min” and​ “max” functions for all​‌ types, “inf” and “sup”​​ for list and set​​​‌ types, “+” and “-”​ for range types, etc.).​‌

The LNT documentation was​​ updated accordingly and the​​ LNT2LOTOS Reference Manual was​​​‌ enriched with 14 pages‌ of examples taken from‌​‌ courses and exams given​​ at ENSIMAG and UGA.​​​‌

6.1.2 Formal Modeling and‌ Analysis of BPMN

Participants:‌​‌ David Cremer, Frédéric​​ Lang, Quentin Nivon​​​‌, Gwen Salaün [correspondent]‌.

Modelling and designing‌​‌ business processes has become​​ a crucial activity for​​​‌ companies in the last‌ 20 years. As a‌​‌ consequence, multiple workflow modelling​​ notations were proposed. BPMN​​​‌ (Business Process Modelling‌ Notation) is one‌​‌ of them and is​​ now considered as the​​​‌ de facto standard for‌ process modelling.

In 2025,‌​‌ we contributed to the​​ generation, verification, and maintenance​​​‌ of BPMN processes along‌ two directions.

• One existing‌​‌ challenge is to enhance​​ the design of BPMN​​​‌ processes with formal methods‌ in order to avoid‌​‌ erroneous descriptions and to​​ ensure correct process executions.​​​‌

  Since classic verification techniques‌ require a certain level‌​‌ of expertise, we proposed​​ an approach accessible to​​​‌ any kind of users,‌ either novices or experts,‌​‌ as one can describe​​ both processes and their​​​‌ functional requirements in natural‌ language. We implemented the‌​‌ approach in the GIVUP​​ (GeneratIon and Verification of​​​‌ Underspecified Processes) tool, which‌ takes as input a‌​‌ textual description of a​​ process in natural language​​​‌ and automatically generates a‌ corresponding BPMN process. GIVUP‌​‌ first uses an LLM​​ (Large Language Model) to​​​‌ extract task dependencies and‌ additional information from the‌​‌ description, and then manipulates​​ these dependencies to generate​​​‌ a single BPMN process.‌ The tool can also‌​‌ take as input a​​ textual description of a​​​‌ functional property that must‌ be preserved, and checks‌​‌ whether the process satisfies​​ the property. This is​​​‌ achieved by transforming both‌ the BPMN process into‌​‌ a language understandable by​​ model checkers, and the​​​‌ textual property into LTL‌ (Linear Temporal Logic), and‌​‌ finally by verifying the​​ property on the process​​​‌ model using model checking.‌ If the property is‌​‌ violated, the diagnostic (visualized​​ as classic counterexample, set​​​‌ of all counterexamples, or‌ coloured BPMN process) can‌​‌ be used to refine​​ the process description. GIVUP​​​‌ was applied to a‌ large set of examples‌​‌ for evaluation purposes. This​​ work led to a​​​‌ publication in an international‌ conference 14. A‌​‌ detailed account of the​​ work carried out on​​​‌ the generation, analysis, and‌ optimization of BPMN processes‌​‌ is available in Quentin​​ Nivon's PhD thesis  37​​​‌.

• Maintaining consistency between‌ business process models and‌​‌ their textual descriptions is​​ critical for operational clarity,​​​‌ compliance, and communication. However,‌ as process models evolve,‌​‌ updating documentation remains costly​​ and error-prone.

  In collaboration​​​‌ with Benjamin Dalmas (iGrafx),‌ we proposed an automated‌​‌ approach that treats process-text​​ consistency as an edit-based​​​‌ synchronization problem. The approach‌ combines graph-based model differencing‌​‌ with prompt-guided editing by​​ LLMs. For balanced acyclic​​​‌ BPMN processes, we introduce‌ the Longest Common Execution‌​‌ Subsequence (LCES) algorithm to​​ isolate shared control-flow, while​​​‌ for processes containing loops‌ or unbalanced gateways, we‌​‌ employ a custom beam-search​​ heuristic that explores plausible​​​‌ sequences of insertions, deletions,‌ and refinements. Our experiments‌​‌ indicate that this approach​​​‌ can produce text that​ remains semantically aligned with​‌ updated processes and stylistically​​ consistent with original descriptions.​​​‌ This work led to​ a publication in an​‌ international conference 15.​​

6.1.3 SYNTAX Compiler Generator​​​‌

Participants: Pierre Boullier,​ Hubert Garavel [correspondent],​‌ Frédéric Lang, Wendelin​​ Serwe.

SYNTAX is​​​‌ a compiler-generation tool that​ generates lexical analyzers (scanners)​‌ and syntactic analyzers (parsers)​​ for deterministic and nondeterministic​​​‌ context-free grammars. Developed since​ 1970, SYNTAX is probably​‌ the oldest software of​​ INRIA that is still​​​‌ actively used and maintained.​ In particular, SYNTAX serves​‌ to produce the front-end​​ part of most compilers​​​‌ of CADP, including TRAIAN.​

Since the closing of​‌ the INRIA Gforge in​​ 2021, the SYNTAX code​​​‌ is hosted on the​ RENATER SVN repository.​‌

In 2025, the development​​ of SYNTAX has been​​​‌ active, with 661 commits.​ Significant progress was made​‌ in the three following​​ directions.

6.1.4 Other Language Developments​​​‌

Participants: Hubert Garavel,‌ Frédéric Lang, Radu‌​‌ Mateescu.

In 2025,​​ in addition to various​​​‌ bug fixes in EVALUATOR‌ (option “-bes”) and SVL,‌​‌ various languages and compilers​​ of CADP have been​​​‌ improved as follows:

• The‌ XTL_EXPAND preprocessor, common to‌​‌ the MCL and XTL​​ languages, now supports single-line​​​‌ comments beginning with “‌$--$”, in‌​‌ addition to the already​​ supported multi-line comments delimited​​​‌ by “(*” and “*)”.‌ The “standard.mcl” library of‌​‌ MCL was improved by​​ introducing eight macro-definitions of​​​‌ common usage that remove‌ the need for writing‌​‌ lower-level $\mu$-calculus formulas.​​
• The MCL_EXPAND preprocessor was​​​‌ enhanced to report data‌ variables defined but not‌​‌ used in MCL formulas​​ and to reduce the​​​‌ size of formulas (by‌ factoring common prefixes of‌​‌ regular formulas occurring in​​ modalities), which in some​​​‌ cases reduced the verification‌ time by up to‌​‌ $37\%$.
• The​​ three versions 3, 4,​​​‌ 5 of the EVALUATOR‌ model checker have been‌​‌ merged into a single​​ one, and the source​​​‌ code of EVALUATOR, MCL_EXPAND,‌ and XTL_EXPAND, as well‌​‌ as the C code​​ they produce, were ported​​​‌ to C23 (the latest‌ revision of the C‌​‌ language published in October​​ 2024).
• The syntax of​​​‌ the SVL language was‌ enhanced by extending the‌​‌ “$|$=” operator​​ to evaluate properties stored​​​‌ in MCL and XTL‌ files, by introducing three‌​‌ new keywords “end abstraction”,​​ “end generation”, and “end​​​‌ reduction” for better structuring,‌ and by simplifying the‌​‌ language following the unification​​ of the three versions​​​‌ of EVALUATOR into a‌ single one.
• The SVL‌​‌ compiler was improved to​​ run SVL scripts as​​​‌ full-fledge programs from the‌ command line, to distinguish‌​‌ more clearly between errors​​ and warnings reported by​​​‌ the various CADP tools‌ invoked, and to directly‌​‌ display the messages emitted​​ by the last CADP​​​‌ command that failed.

6.2.1 Cloud Computing

Participants:​​ Ahmed Khebbeb, Gwen​​​‌ Salaün [correspondent].

Cloud‌ computing becomes increasingly complex‌​‌ due to the emergence​​ of new computing infrastructures​​​‌ (e.g., edge computing or‌ the cloud-edge-IoT computing continuum),‌​‌ which involve diverse and​​ heterogeneous resources, geographical distribution,​​​‌ and increased requirements for‌ dynamicity, security, and energy‌​‌ consumption.

In 2025, in​​​‌ the context of the​ TARANIS project (see §​‌ 8.3.1), we contributed​​ to the cloud computing​​​‌ domain as follows.

6.2.2 Blockchain​‌ for Digital Health

Participants:​​ Suraj Gupta, Frédéric​​​‌ Lang, Gwen Salaün​ [correspondent].

Electronic Health​‌ Records (EHRs) are essential​​ for modern healthcare technology,​​​‌ having a critical role​ in various applications (clinical​‌ decision support systems, telehealth​​ platforms, population health management​​ tools, patient portals, research​​​‌ platforms for medical innovation).‌ Given their sensitive nature,‌​‌ EHRs are subject to​​ interoperability, security, and efficiency​​​‌ constraints.

In 2025, in‌ collaboration with Umar Ozeer‌​‌ (Euris, see § 7.1.1​​), we proposed FaSTr,​​​‌ a blockchain-based solution that‌ aims to make the‌​‌ process of interacting with​​ EHRs fast, secure, and​​​‌ transparent by providing services.‌ FaSTr integrates with an‌​‌ EHR storage system and​​ provides secure API endpoints​​​‌ used by authorized applications‌ to access the EHR‌​‌ data. FaSTr handles multiple​​ requests from applications for​​​‌ EHRs in near-real time‌ while maintaining high availability‌​‌ and robustness, enables strict​​ access control policies for​​​‌ accessing EHRs, integrates in‌ a standardized way with‌​‌ EHR storage systems, and​​ provides immutable logging of​​​‌ changes in access policies‌ and all interactions with‌​‌ EHRs. A prototype implementation​​ of FaSTr was developed​​​‌ and experimented to evaluate‌ its latency and throughput,‌​‌ demonstrating that the network​​ scales well with an​​​‌ increasing ledger size. This‌ work led to a‌​‌ publication in an international​​ conference 11.

6.3.1 Nondeterminism in‌​‌ Interactive Markov Chains

Participants:​​ Hubert Garavel.

Modeling​​​‌ and analyzing complex systems‌ that combine functional behaviour‌​‌ and quantitative aspects poses​​ a difficult challenge, namely​​​‌ the proper integration of‌ process calculi and (discrete-time‌​‌ or continuous-time) Markov chains.​​ Mainstream process calculi are​​​‌ inherently non-deterministic (e.g., due‌ to their choice operators‌​‌ and to the interleaving​​ semantics of their parallel​​​‌ composition operators), whereas the‌ concept of nondeterminism is‌​‌ absent in Markov chains.​​ Thus, it is not​​​‌ straightforward to define conservative‌ extensions of process calculi‌​‌ with Markov chains.

In​​ 2025, in collaboration with​​​‌ Holger Hermanns (Saarland University,‌ Germany), we investigated three‌​‌ related issues:

• Two types​​ of state-transition models have​​​‌ been proposed for the‌ formal description of continuous-time‌​‌ stochastic systems, in which​​ delays are governed by​​​‌ exponential distributions of known‌ rate parameters. In the‌​‌ first type, each transition​​ consists of an event​​​‌ and a rate glued‌ together, while in the‌​‌ second type, illustrated by​​ the IMCs (Interactive Markov​​​‌ Chains)  32 each transition‌ carries either an event‌​‌ or a rate. This​​ raises compatibility, as well​​​‌ as modeling choice issues,‌ since both types of‌​‌ models are theoretically different.​​
• The next issues concern​​​‌ the possibility of automated‌ conversions between both types‌​‌ of models. Specifically, we​​ defined a translation function​​​‌ that converts models of‌ the first type into‌​‌ models of the second​​ type. We studied how​​​‌ faithful this translation is‌ with respect to crucial‌​‌ properties such as deadlocks,​​ determinism, and the preservation​​​‌ of steady-state and transient‌ probabilities.
• Finally, we studied‌​‌ the issues related to​​ the presence of nondeterminism​​​‌ in the models of‌ the second type produced‌​‌ by our translation function.​​ We analyzed the reasons​​​‌ why such nondeterminism appears‌ and discussed how to‌​‌ cope with it or​​ to eliminate it using​​​‌ successive transformations of the‌ model.

We investigated these‌​‌ issues on a concrete​​ case study, the “Erlangen​​​‌ mainframe”, for which models‌ of the first type‌​‌ already exist, and for​​​‌ which we developed a​ new model of the​‌ second type in LNT.​​ This work was published​​​‌ as a book chapter​ 16.

6.5.1​​​‌ Autonomous Car

Participants: Wei​ Chen, Jean-Baptiste Horel​‌, Radu Mateescu [correspondent]​​, Wendelin Serwe,​​​‌ Aline Uwimbabazi.

Devising​ scenarios for testing autonomous​‌ vehicles (AV) is still​​ a challenging task that​​​‌ requires a tradeoff between​ cost and achieved coverage​‌ of the considered operational​​ design domain. Often scenarios​​​‌ are derived from accident​ statistics and real traffic​‌ datasets. Expertise knowledge for​​ the tasks of selecting​​​‌ the scenarios for testing​ and/or simulation is highly​‌ required. This task is​​ carried out mostly manually,​​​‌ and would benefit from​ a precise method to​‌ assess scenario relevance and​​ compare scenarios.

In collaboration​​​‌ with Lina Marsso (Polytechnique​ Montréal, Canada), Christian Laugier,​‌ and Alessandro Renzaglia (CHROMA​​ project-team), we proposed an​​​‌ automatic approach to generate​ a large number of​‌ relevant critical scenarios for​​ autonomous driving simulators. The​​ approach relies on the​​​‌ generation of behavioral conformance‌ tests using the TESTOR‌​‌ tool  35, from​​ an LNT model (specifying​​​‌ the ground truth configuration‌ with the range of‌​‌ vehicle behaviors) and a​​ test purpose (specifying the​​​‌ critical feature under analysis).‌ The obtained test cases‌​‌ (which cover all possible​​ executions exercising a given​​​‌ feature) are automatically translated‌ into the inputs of‌​‌ autonomous driving simulators.

In​​ 2025, in the framework​​​‌ of the A-IQ Ready‌ project (see § 8.2.1‌​‌), we continued this​​ line of work as​​​‌ follows:

• We pursued the‌ formal modelling and simulation‌​‌ of pedestrian behaviours in​​ shared spaces, focusing on​​​‌ the interactions between pedestrians‌ and AVs. We developed‌​‌ an LNT model of​​ pedestrian behaviour, integrating perception​​​‌ zones, attention mechanisms, and‌ a density-dependent personal space‌​‌ inspired by existing behavioural​​ models 38. The​​​‌ model combines driving forces‌ toward destinations with social‌​‌ interaction forces between pedestrians,​​ allowing realistic adaptation of​​​‌ trajectories in multi-agent scenarios.‌ Several simplifications were introduced‌​‌ to make the model​​ suitable for formal verification,​​​‌ including a grid-based environment‌ and abstracted physical constraints.‌​‌ The LNT model provides​​ a basis for verifying​​​‌ the safety of interactions‌ between pedestrians and an‌​‌ AV, as well as​​ generating scenarios for testing​​​‌ AVs in complex situations.‌
• We continued our work‌​‌ on a model-based methodology​​ to compare scenarios using​​​‌ quantitative measures computed from‌ a formal model of‌​‌ an AV in its​​ environment and a set​​​‌ of user-defined interesting event‌ sequences representing evaluation criteria.‌​‌ Quantitative measures are computed​​ using two different approaches:​​​‌ probabilistic model checking of‌ temporal logic properties and‌​‌ conformance testing guided by​​ test purposes—both temporal properties​​​‌ and test purposes being‌ derived from the considered‌​‌ event sequences. This methodology​​ facilitates the selection of​​​‌ the scenarios having the‌ best tradeoff between coverage‌​‌ and overall testing cost​​ (both for simulation and​​​‌ field testing). We applied‌ the methodology to compare‌​‌ variations of five scenarios,​​ derived from frequent situations​​​‌ in accident statistics, using‌ several evaluation criteria (occurrence‌​‌ of collision, successful arrival,​​ duration). This work led​​​‌ to a publication in‌ an international conference 12‌​‌ and to an article​​ submitted to an international​​​‌ journal.

6.5.2 Job-Shop Scheduling‌

Participants: Radu Mateescu,‌​‌ Wendelin Serwe [correspondent],​​ Aline Uwimbabazi.

The​​​‌ job-shop scheduling problem is‌ a well-known NP-hard scheduling‌​‌ problem, where a set​​ of jobs (consisting of​​​‌ a sequence of tasks)‌ have to be executed‌​‌ on a set of​​ machines, each task specifying​​​‌ its duration and the‌ required machine.

In 2025,‌​‌ in the framework of​​ the A-IQ Ready project​​​‌ (see § 8.2.1),‌ we pursued our work‌​‌ on the Job-Shop Scheduling​​ Problem to compute schedules​​​‌ for autonomous robots using‌ the state-space exploration algorithms‌​‌ of CADP. We continued​​ experimenting several encodings of​​​‌ the problem in the‌ LNT language, with the‌​‌ goal of developing efficient​​ models that can provide​​​‌ better solutions than those‌ found in some benchmark‌​‌ instances or found using​​ reinforcement learning. Our models​​​‌ can be used to‌ study the Job-Shop Scheduling‌​‌ Problem because we were​​​‌ able to generate the​ complete Labelled Transition System​‌ (LTS) of a given​​ instance, which allowed us​​​‌ to find all possible​ solutions. This work led​‌ to a book chapter​​ that was accepted for​​​‌ publication.

6.5.3 High-Performance Data​ Cache

Participants: Zachary Assoumani​‌, Radu Mateescu,​​ Wendelin Serwe [correspondent].​​​‌

To reduce costs in​ hardware design, it is​‌ crucial to spot any​​ unwanted behaviours early in​​​‌ the design process of​ complex architectures, starting with​‌ the informal specifications, which​​ are particularly prone to​​​‌ ambiguities and oversights. Formal​ methods are suitable vehicles​‌ to describe, simulate, and​​ also verify specifications of​​​‌ architectures.

In 2025, in​ collaboration with César Fuguet​‌ (MADMAX project-team), we considered​​ the formal modeling and​​​‌ analysis of the High-Performance​ Data Cache (HPDcache)  41​‌, a non-blocking L1​​ data cache for RISC-V​​​‌ cores and accelerators. Starting​ from its informal specification,​‌ we produced a formal​​ model of the HPDcache​​​‌ in LNT. We also​ formally expressed the memory​‌ consistency rules of the​​ RISC-V specification as MCL​​​‌ formulas. Using the CADP​ tools supporting LNT and​‌ MCL, we uncovered a​​ possible violation of the​​​‌ memory consistency rules by​ the informal specification of​‌ the HPDcache. We created​​ an issue in the​​​‌ official HPDcache repository, which​ has been fixed (the​‌ SystemVerilog code was not​​ affected). This work led​​​‌ to an extended abstract​ presented as poster at​‌ an international conference 19​​.

6.5.4 Algorand Consensus​​​‌ Protocol

Participants: Hubert Garavel​.

A blockchain is​‌ a distributed, tamper-proof ledger​​ system that permanently records​​​‌ transactions across a network​ of possibly untrusted nodes.​‌ The ledger maintains a​​ cryptographically linked list of​​​‌ committed blocks, each one​ containing a reference to​‌ the previous block, forming​​ an immutable chain of​​​‌ records. In its pure​ form (called public or​‌ permissionless blockchain), any node​​ can join or leave​​​‌ the system at any​ time, with agreement on​‌ transaction history being reached​​ via a consensus protocol​​​‌ instead of a centralized​ trusted party. Algorand is​‌ a scalable and secure​​ permissionless blockchain that achieves​​​‌ proof-of-stake consensus via cryptographic​ self-sortition and binary Byzantine​‌ agreement.

In 2025, in​​ collaboration with Andrea Esposito,​​​‌ Francesco Rossi, and Marco​ Bernardo (University of Urbino,​‌ Italy) and Francesco Fabris​​ (University of Trieste, Italy),​​​‌ we devised a process​ algebraic model of the​‌ Algorand protocol with the​​ aim of enabling formal​​​‌ verification. Our model captures​ the behavior of participants​‌ in terms of the​​ structured alternation of consensus​​​‌ steps toward a committee-based​ agreement. We validated the​‌ correctness of the protocol​​ in the absence of​​​‌ adversaries and then extended​ our model to assess​‌ the influence of coordinated​​ malicious nodes that can​​​‌ force the commit of​ an empty block instead​‌ of the proposed one.​​ The adversarial scenario was​​​‌ analyzed using CADP through​ an equivalence-checking-based noninterference framework,​‌ which highlighted both the​​ robustness and the limitations​​​‌ of the Algorand protocol​ under adversarial assumptions. This​‌ work was published as​​ a research report 18​​​‌.

6.5.5 Mobile Robots​

Participants: Radu Mateescu,​‌ Wendelin Serwe [correspondent],​​ Aline Uwimbabazi.

Robot​​ systems increasingly interact with​​​‌ humans in various domains,‌ such as transport, environment,‌​‌ health, and social care.​​ Indoor navigation of robots​​​‌ poses several challenges. Firstly,‌ the indoor spaces are‌​‌ dynamic: people move, floor​​ might be wet, doors​​​‌ open and close, or‌ the plans for the‌​‌ mobile robot might have​​ been changed. Secondly, the​​​‌ robots should respect constraints‌ such as safety, accessibility,‌​‌ and environment disruptions.

In​​ 2025, in the framework​​​‌ of the A-IQ Ready‌ project (see § 8.2.1‌​‌), in collaboration with​​ Lina Marsso and Pierre-Yves​​​‌ Lajoie (Polytechnique Montréal, Canada),‌ we considered the formal‌​‌ modeling of the behavior​​ of a mobile robot​​​‌ that interacts with humans‌ in dynamic indoor environments.‌​‌ Specifically, we modeled in​​ LNT the behavior of​​​‌ a robot assisting humans‌ (static and moving) with‌​‌ the food preparation, and​​ calling for help in​​​‌ emergency situations (e.g., when‌ a human has fallen‌​‌ on the floor). The​​ robot behavior is defined​​​‌ by several operations assisting‌ the food preparation (successful‌​‌ move, detection, taking and​​ giving an object) and​​​‌ handling emergency situations (detection,‌ calling for help, giving‌​‌ instructions). Besides the appropriate​​ actions of the robot​​​‌ in each case, the‌ LNT model also comprises‌​‌ the probabilities for the​​ robot’s actions to be​​​‌ performed successfully (e.g., the‌ probability of finding the‌​‌ closest human to call​​ for help, or navigating​​​‌ along the shortest path).‌ The LNT model will‌​‌ serve as basis to​​ analyze the safety of​​​‌ robot interactions and to‌ study the variation of‌​‌ action probabilities depending on​​ environmental changes.

7.1.1 Euris​​

Participants: Suraj Gupta,​​​‌ Frédéric Lang, Gwen‌ Salaün [correspondent].

S.‌​‌ Gupta is supported by​​ a CIFRE grant (from​​​‌ February 2024 to January‌ 2027) from Euris (Paris)‌​‌ on the formal modeling​​ and analysis of blockchain​​​‌ protocols in the health‌ domain, under the supervision‌​‌ of Gwen Salaün, Frédéric​​ Lang, and Umar Ozeer​​​‌ (Euris).

7.1.2 Public IA‌

Participants: Nabil Bouchta,‌​‌ Gwen Salaün [correspondent].​​

N. Bouchta is supported​​​‌ by a CIFRE grant‌ (from November 2025 to‌​‌ October 2028) from Public​​ IA (Illkirch-Graffenstaden) on the​​​‌ formal modeling, analysis, and‌ optimization of business processes,‌​‌ under the supervision of​​ Gwen Salaün, Jean-Michel Bernabotto​​​‌ (Public IA), and Quentin‌ Christoffel (Public IA).

8.1.1‌ Other international collaborations

In‌​‌ 2025, we had scientific​​ relations with several universities​​​‌ and institutes abroad, including:‌

• University of Oxford, UK‌​‌ (Dave Parker)
• University of​​ Urbino, Italy (Marco Bernardo)​​​‌
• Saarland University, Germany (Holger‌ Hermanns)
• University of Málaga,‌​‌ Spain (Francisco Durán)
• Polytechnique​​ Montréal, Canada (Lina Marsso)​​​‌

8.2.1‌ Horizon Europe

8.2.2 Other​​ european programs/initiatives

The CONVECS​​​‌ project-team is member of‌ the FMICS (Formal‌​‌ Methods for Industrial Critical​​ Systems) working group​​​‌ of ERCIM. H.‌ Garavel and R. Mateescu‌​‌ are members of the​​ FMICS board, H. Garavel​​​‌ being in charge of‌ dissemination actions.

8.3.1 PEPR Cloud​​

The cloud has become​​​‌ an essential ingredient of‌ IT systems. Its model,‌​‌ initially based on large​​ data centers, has evolved​​​‌ towards “edge computing” or‌ “digital continuum”, developing secure,‌​‌ interoperable hybrid clouds to​​ process large volumes of​​​‌ data quickly and efficiently.‌ This change is crucial‌​‌ for future applications such​​ as smart cities or​​​‌ autonomous vehicles. However, cloud‌ software needs to be‌​‌ rethought to adapt to​​ the diversity of operators,​​​‌ multiple access points, user‌ and resource mobility, while‌​‌ addressing the challenges of​​ security and energy consumption​​​‌ control.

The PEPR Cloud‌ is a research program‌​‌ promoted by the French​​ government as part of​​​‌ the France 2030 “Cloud”‌ strategy to develop secure‌​‌ and frugal Cloud technologies.​​ PEPR Cloud aims to​​​‌ advance Cloud technologies and‌ facilitate the transfer of‌​‌ innovations and solutions from​​ research to industry. PEPR​​​‌ Cloud started in April‌ 2024 for seven years.‌​‌ CONVECS is involved in​​ two projects of PEPR​​​‌ Cloud, described below.

8.3.2 Other national collaborations​

We had sustained scientific​‌ relations with the following​​ researchers:

• César Fuguet (MADMAX​​​‌ project-team)

8.4.1 Région Auvergne-Rhône-Alpes

Participants:​‌ Gwen Salaün [correspondent].​​

MOAP is a project​​​‌ funded by the Auvergne-Rhône-Alpes​ region within the Pack​‌ Ambition Recherche programme. The​​ project involves the project-teams​​​‌ CONVECS and CORSE, and​ the SOITEC company. MOAP​‌ aims at providing modelling​​ and automated analysis techniques​​​‌ for enabling companies to​ master the complexity of​‌ their internal processes and​​ for optimizing those processes​​​‌ with the final goal​ of improving the quality​‌ and productivity of their​​ businesses.

MOAP started in​​​‌ October 2020 for five​ years. The main contributions​‌ of CONVECS to MOAP​​ are the formal modeling​​​‌ and automated verification of​ BPMN processes.

9.1.1 Scientific events:​​ organisation

9.1.2 Scientific events:‌ selection

9.1.3 Journal

9.1.4 Software dissemination and​ internet visibility

The CONVECS​‌ project-team distributes several software​​ tools, among which the​​​‌ CADP toolbox.

In 2025,​ the main facts are​‌ the following:

• We prepared​​ and distributed twelve successive​​​‌ versions (2025-a to 2025-l)​ of CADP.
• We granted​‌ CADP licenses for 171​​ different computers in the​​​‌ world.

The CONVECS Web​ site was updated with​‌ scientific contents, announcements, publications,​​ etc.

By the end​​​‌ of December 2025, the​ CADP forum, opened​‌ in 2007 for discussions​​ regarding the CADP toolbox,​​​‌ had over 483 registered​ users and over 2014​‌ messages had been exchanged.​​

Also, for the 2025​​​‌ edition of the Model​ Checking Contest, we provided​‌ 3 families of models​​ (totalling 54 Nested-Unit Petri​​​‌ Nets) derived from our​ LNT models.

Other teams​‌ also used the CADP​​ toolbox for various case​​​‌ studies:

• Checking model consistency​ in service-oriented systems  33​‌
• Timing analysis of service-oriented​​ architectures in software-defined vehicles​​​‌  40
• Bridging threat models​ and detections using formal​‌ verification  39
• Identifying vulnerabilities​​ of operational technology protocols​​​‌ in industrial IoT  20​

9.1.5 Invited talks

• Z.​‌ Assoumani gave a talk​​ entitled “Connecting Hardware​​​‌ Description Languages and Formal​ Languages” at the​‌ Archi-CESAM project workshop held​​ at Inria Paris on​​​‌ November 5, 2025.
• H.​ Garavel gave a talk​‌ entitled “Formal Study​​ of Algorand's Byzantine Agreement​​​‌ Algorithm” at the​ seminar of the MTV2​‌ (Méthodes de test​​ pour la validation et​​​‌ la vérification) working​ group of the GDR​‌ GPL, held at Grenoble,​​ France, on December 11,​​​‌ 2025.
• R. Mateescu gave​ a talk entitled “​‌Improving PSS Test Generation​​ Using Model Checking and​​​‌ Conformance Testing” at​ the scientific seminar of​‌ the PEPR Cloud held​​ online on September 19,​​​‌ 2025.
• Q. Nivon gave​ a talk entitled “​‌LLM-Based Generation of BPMN​​ Workflows From Textual Descriptions​​​‌” at the “BPM​ & IA” workshop organized​‌ by G. Salaün at​​ the LIG laboratory on​​​‌ May 14, 2025.
• G.​ Salaün gave a talk​‌ entitled “Modelling, Runtime​​ Analysis and Optimization of​​​‌ Business Processes” at​ the seminar of the​‌ MTV2 (Méthodes de​​ test pour la validation​​​‌ et la vérification)​ working group of the​‌ GDR GPL, held at​​ Grenoble, France, on December​​​‌ 11, 2025.
• G. Salaün​ gave a talk entitled​‌ “Quantitative Analysis and​​ Runtime Enforcement for IEC​​​‌ 61499” at the​ 11th International Summer School​‌ on Industrial Agents (ISSIA’25)​​ held at Ancona, Italie,​​​‌ on June 30 –​ July 4, 2025.
• G.​‌ Salaün gave a talk​​ entitled “Modelling, Analysis​​​‌ and Optimization of BPMN​ Processes” at IRIT,​‌ Toulouse, France, on June​​ 10, 2025.
• G. Salaün​​​‌ gave a talk entitled​ “LLM-Based Generation of​‌ BPMN Workflows From Textual​​ Descriptions” at ANITI,​​ Toulouse, France, on June​​​‌ 10, 2025.

9.1.6 Research‌ administration

• R. Mateescu is‌​‌ the scientific correspondent of​​ the International Partnerships for​​​‌ Inria Grenoble.
• R. Mateescu‌ was a member of‌​‌ the “Comité d'Orientation​​ Scientifique” for Inria​​​‌ Grenoble until August 31,‌ 2025.
• R. Mateescu is‌​‌ representative of Inria Grenoble​​ at the International Relations​​​‌ and Outreach of Université‌ Grenoble Alpes (UGA).
• G.‌​‌ Salaün is the director​​ of the MSTIC research​​​‌ department of UGA.
• G.‌ Salaün was the president‌​‌ of the scientific evaluation​​ committee “Sciences et​​​‌ génie du logiciel, Réseaux‌ de communication multi-usages et‌​‌ infrastructures de haute performance​​” of ANR (CE25)​​​‌ from 2022 to 2025.‌
• W. Serwe is the‌​‌ chair of the “​​Commission du développement technologique​​​‌”, which is in‌ charge of selecting R&D‌​‌ projects for Inria Grenoble,​​ and giving an advice​​​‌ on the recruitment of‌ temporary engineers.
• W. Serwe‌​‌ is a member of​​ the “Comité de​​​‌ Centre” at Inria‌ Grenoble.

9.2.1 Teaching

CONVECS is‌ a host team for‌​‌ the computer science master​​ MOSIG (Master of​​​‌ Science in Informatics at‌ Grenoble), common to‌​‌ Grenoble INP and UGA.​​

In 2025, we carried​​​‌ out the following teaching‌ activities:

• Z. Assoumani gave‌​‌ a course on “​​Théorie des langages 2​​​‌” (18 hours “‌équivalent TD”) to‌​‌ first year students of​​ ENSIMAG.
• Z. Assoumani gave​​​‌ a course on “‌Algorithmique distribuée” (15‌​‌ hours “équivalent TD​​”) to fourth year​​​‌ students of Polytech.
• Z.‌ Assoumani gave a course‌​‌ on “Sémantique des​​ langages de programmation &​​​‌ compilation” (30 hours‌ “équivalent TD”)‌​‌ to M1 students of​​ UGA.
• Z. Assoumani gave​​​‌ a course on “‌Automates et langages”‌​‌ (29 hours “équivalent​​ TD”) to L2​​​‌ students of UGA.
• F.‌ Lang gave a course‌​‌ on “Formal Software​​ Development Methods” (7.5​​​‌ hours “équivalent TD‌”) in the framework‌​‌ of the “Software​​ Engineering” lecture given​​​‌ to first year students‌ of the MOSIG.
• F.‌​‌ Lang gave a course​​ on “Programming Languages,​​​‌ Compilers, and Semantics”‌ (27 hours “équivalent‌​‌ TD”) to first​​ year students of the​​​‌ MOSIG and of the‌ Master 1 Informatique.
• F.‌​‌ Lang and R. Mateescu​​ gave a lecture on​​​‌ “Modeling and Analysis‌ of Concurrent Systems: Models‌​‌ and Languages for Model​​ Checking” (27 hours​​​‌ “équivalent TD”)‌ to third year students‌​‌ of ENSIMAG.
• F. Lang​​ gave a course on​​​‌ “Modeling and Analysis‌ of Asynchronous Concurrent Systems‌​‌” (15 hours “​​équivalent TD”) in​​​‌ the framework of the‌ “Safety Critical Systems‌​‌” lecture given to​​ second year students of​​​‌ the MOSIG.
• G. Salaün‌ taught about 100 hours‌​‌ of classes (algorithmics, Web​​ development, object-oriented programming) at​​​‌ the MMI department of‌ IUT1/UGA.
• W. Serwe supervised‌​‌ a group of six​​ teams in the context​​​‌ of the “projet‌ Génie Logiciel” (55‌​‌ hours “équivalent TD​​​‌”, consisting in 13.5​ hours of lectures, plus​‌ supervision and evaluation), ENSIMAG,​​ January 2025.

9.2.2 Supervision​​​‌

• PhD: Q. Nivon, “​Analysis, Optimisation and Debugging​‌ of BPMN Processes”,​​ Université Grenoble Alpes, defended​​​‌ on December 12, 2025,​ G. Salaün
• PhD in​‌ progress: Z. Assoumani, “​​Conception rigoureuse de circuits​​​‌ basée sur les méthodes​ formelles”, Université Grenoble​‌ Alpes, since October 2024,​​ R. Mateescu and W.​​​‌ Serwe
• PhD in progress:​ N. Bouchta, “Modélisation​‌ formelle, analyse et optimisation​​ de processus métier”,​​​‌ Université Grenoble Alpes, since​ November 2025, G. Salaün,​‌ Jean-Michel Bernabotto (Public IA),​​ and Quentin Christoffel (Public​​​‌ IA)
• PhD in progress:​ S. Gupta, “Using​‌ blockchains for managing EHRs​​ (Electronic Health Records)”,​​​‌ Université Grenoble Alpes, since​ January 2024, G. Salaün,​‌ F. Lang, and Umar​​ Ozeer (Euris)
• PhD in​​​‌ progress: J-B. Horel, “​Validation des composants de​‌ perception basés sur l'IA​​ dans les véhicules autonomes​​​‌”, Université Grenoble Alpes,​ since April 2021, R.​‌ Mateescu, Alessandro Renzaglia, and​​ Christian Laugier (CHROMA project-team)​​​‌
• PhD in progress: A.​ Khebbeb, “Formal Modelling​‌ and Automated Analysis of​​ Resource Provisioning Languages”,​​​‌ Université Grenoble Alpes, since​ December 2024, G. Salaün​‌ and Philippe Merle (SPIRALS​​ project-team, Lille)

9.2.3 Juries​​​‌

• R. Mateescu was reviewer​ of Dumitru-Bogdan Prelipcean’s PhD​‌ thesis, entitled “Applications​​ des méthodes formelles à​​​‌ la détection de logiciels​ malveillants”, defended at​‌ Université Paris-Est Créteil on​​ September 12, 2025.

International peer-reviewed conferences

• 10​​​‌ inproceedingsA.Almo Cuci‌, U.Umar Ozeer‌​‌ and G.Gwen Salaün​​. Modelling and Verification​​​‌ of an Application for‌ Managing Sensitive Health Data‌​‌.DataMod 2023 -​​ 11th International Symposium on​​​‌ From Data to Models‌ and Back14618Lecture‌​‌ Notes in Computer Science​​Eindhoven, NetherlandsSpringer Nature​​​‌ SwitzerlandApril 2025,‌ 127-141HALDOI
• 11‌​‌ inproceedingsS.Suraj Gupta​​, F.Frédéric Lang​​​‌, U.Umar Ozeer‌ and G.Gwen Salaün‌​‌. Blockchain as a​​ Service for Electronic Health​​​‌ Records.Preoceedings of‌ the IEEE International Conference‌​‌ on Digital Health (ICDH​​ 2025)ICDH 2025 -​​​‌ IEEE International Conference on‌ Digital HealthHelsinki, Finland‌​‌IEEE2025, 91-101​​HALDOIback to​​​‌ text
• 12 inproceedingsJ.-B.‌Jean-Baptiste Horel, P.‌​‌Philippe Ledent, R.​​Radu Mateescu, W.​​​‌Wendelin Serwe and A.‌Aline Uwimbabazi. Assessing‌​‌ Test Scenarios for Autonomous​​ Driving Using Probabilistic Model​​​‌ Checking.Lecture Notes‌ in Computer ScienceICTSS‌​‌ 2025 - 37th IFIP​​ WG 6.1 International Conference​​​‌ on Testing Software and‌ Systems16107Lecture Notes‌​‌ in Computer ScienceLimassol,​​ CyprusSpringer Nature Switzerland​​​‌September 2026, 273-289‌HALDOIback to‌​‌ text
• 13 inproceedingsD.​​David Kaufmann, R.​​​‌Radu Mateescu, L.‌Lucie Muller, W.‌​‌Wendelin Serwe and F.​​Franz Wotawa. Formal​​​‌ Methods for Residual Risk‌ Reduction in Cyber-Physical Systems‌​‌.QRS 2025 -​​ 25th International Conference on​​​‌ Software Quality, Reliability and‌ SecurityHangzhou, ChinaIEEE‌​‌2025, 258-269HAL​​DOI
• 14 inproceedingsQ.​​​‌Quentin Nivon, G.‌Gwen Salaün and F.‌​‌Frédéric Lang. GIVUP:​​ Automated Generation and Verification​​​‌ of Textual Process Descriptions‌.FSE 2025 -‌​‌ 33rd ACM International Conference​​ on the Foundations of​​​‌ Software EngineeringTrondheim, Norway‌2025, 1-5HAL‌​‌DOIback to text​​

Conferences without proceedings

• 15​​​‌ inproceedingsD.David Cremer‌, B.Benjamin Dalmas‌​‌, Q.Quentin Nivon​​ and G.Gwen Salaün​​​‌. Incremental Synchronization of‌ BPMN Models and Documentations‌​‌ by Leveraging Structural Algorithms​​ and LLMs.CoopIS​​​‌ 2025 - International Conference‌ on Cooperative Information Systems‌​‌Marbella, Spain2025,​​ 1-18HALback to​​​‌ text

Scientific book chapters‌

• 16 inbookH.Hubert‌​‌ Garavel and H.Holger​​ Hermanns. Nondeterminism in​​​‌ Interactive Markov Chains, with‌ Application to the Erlangen‌​‌ Mainframe.15760Principles​​ of Formal Quantitative Analysis​​​‌Lecture Notes in Computer‌ ScienceSpringer Nature Switzerland‌​‌August 2026, 15-69​​​‌HALDOIback to​ text

Edition (books, proceedings,​‌ special issue of a​​ journal)

• 17 periodicalFormal​​​‌ methods for industrial critical​ systems.International Journal​‌ on Software Tools for​​ Technology Transfer275​​​‌October 2025, 439-441​HALDOI

Reports &​‌ preprints

• 18 reportA.​​Andrea Esposito, F.​​​‌Francesco Rossi, M.​Marco Bernardo, F.​‌Francesco Fabris and H.​​Hubert Garavel. Formal​​​‌ Modeling and Verification of​ the Algorand Consensus Protocol​‌ in CADP.ArXiv​​2025, 1-25HAL​​​‌DOIback to text​

Other scientific publications

• 19​‌ inproceedingsZ.Zachary Assoumani​​, C.César Fuguet​​​‌, R.Radu Mateescu​ and W.Wendelin Serwe​‌. On Benefits of​​ Modeling the HPDcache in​​​‌ LNT.RISC-V 2025​ -RISC-V Summit EuropeParis,​‌ France2025, 1-1​​HALback to text​​​‌