40 research outputs found
Towards a Formalism-Based Toolkit for Automotive Applications
The success of a number of projects has been shown to be significantly
improved by the use of a formalism. However, there remains an open issue: to
what extent can a development process based on a singular formal notation and
method succeed. The majority of approaches demonstrate a low level of
flexibility by attempting to use a single notation to express all of the
different aspects encountered in software development. Often, these approaches
leave a number of scalability issues open. We prefer a more eclectic approach.
In our experience, the use of a formalism-based toolkit with adequate notations
for each development phase is a viable solution. Following this principle, any
specific notation is used only where and when it is really suitable and not
necessarily over the entire software lifecycle. The approach explored in this
article is perhaps slowly emerging in practice - we hope to accelerate its
adoption. However, the major challenge is still finding the best way to
instantiate it for each specific application scenario. In this work, we
describe a development process and method for automotive applications which
consists of five phases. The process recognizes the need for having adequate
(and tailored) notations (Problem Frames, Requirements State Machine Language,
and Event-B) for each development phase as well as direct traceability between
the documents produced during each phase. This allows for a stepwise
verification/validation of the system under development. The ideas for the
formal development method have evolved over two significant case studies
carried out in the DEPLOY project
Event-B model decomposition
Two methods have been identified in the DEPLOY project for Event-B model decomposition: the shared variable decomposition (called A-style decomposition), and the shared event decomposition (or B-style decomposition). Both allow the decomposition of a (concrete) model into several independent sub-models which may then be refined separately. The purpose of this paper is to introduce the Event-B model decomposition, from theory (A-style vs. B-style, differences and similarities) to practice (decomposition plug-in of the Rodin [1] platform)
A systematic approach to atomicity decomposition in Event-B
Event-B is a state-based formal method that supports a refinement process in which an abstract model is elaborated towards an implementation in a step-wise manner. One weakness of Event-B is that control flow between events is typically modelled implicitly via variables and event guards. While this fits well with Event-B refinement, it can make models involving sequencing of events more difficult to specify and understand than if control flow was explicitly specified. New events may be introduced in Event-B refinement and these are often used to decompose the atomicity of an abstract event into a series of steps. A second weakness of Event-B is that there is no explicit link between such new events that represent a step in the decomposition of atomicity and the abstract event to which they contribute. To address these weaknesses, atomicity decomposition diagrams support the explicit modelling of control flow and refinement relationships for new events. In previous work,the atomicity decomposition approach has been evaluated manually in the development of two large case studies, a multi media protocol and a spacecraft sub-system. The evaluation results helped us to develop a systematic definition of the atomicity decomposition approach, and to develop a tool supporting the approach. In this paper we outline this systematic definition of the approach, the tool that supports it and evaluate the contribution that the tool makes
Abstract Data Types in Event-B - An Application of Generic Instantiation
Integrating formal methods into industrial practice is a challenging task.
Often, different kinds of expertise are required within the same development.
On the one hand, there are domain engineers who have specific knowledge of the
system under development. On the other hand, there are formal methods experts
who have experience in rigorously specifying and reasoning about formal
systems. Coordination between these groups is important for taking advantage of
their expertise. In this paper, we describe our approach of using generic
instantiation to facilitate this coordination. In particular, generic
instantiation enables a separation of concerns between the different parties
involved in developing formal systems.Comment: In Proceedings of DS-Event-B 2012: Workshop on the experience of and
advances in developing dependable systems in Event-B, in conjunction with
ICFEM 2012 - Kyoto, Japan, November 13, 201
Practical Theory Extension in Event-B
Abstract. The Rodin tool for Event-B supports formal modelling and proof using a mathematical language that is based on predicate logic and set theory. Although Rodin has in-built support for a rich set of operators and proof rules, for some application areas there may be a need to extend the set of operators and proof rules supported by the tool. This paper outlines a new feature of the Rodin tool, the theory component, that allows users to extend the mathematical language supported by the tool. Using theories, Rodin users may define new data types and polymorphic operators in a systematic and practical way. Theories also allow users to extend the proof capabilities of Rodin by defining new proof rules that get incorporated into the proof mechanisms. Soundness of new definitions and rules is provided through validity proof obligations.
The composition of Event-B models
The transition from classical B [2] to the Event-B language and method [3] has seen the removal of some forms of model structuring and composition, with the intention of reinventing them in future. This work contributes to thatreinvention. Inspired by a proposed method for state-based decomposition and refinement [5] of an Event-B model, we propose a familiar parallel event composition (over disjoint state variable lists), and the less familiar event fusion (over intersecting state variable lists). A brief motivation is provided for these and other forms of composition of models, in terms of feature-based modelling. We show that model consistency is preserved under such compositions. More significantly we show that model composition preserves refinement