Modelling the pacemaker in event-B: towards methodology for reuse

The cardiac pacemaker is one of the system modelling problems posed to the Formal Methods community by the {\it Grand Challenge for Dependable Systems Evolution} \cite{JOW:06}. The pacemaker is an intricate safety-critical system that supports and moderates the dysfunctional heart's intrinsic electrical control system. This paper focusses on (i) the problem (requirements) domain specification and its mapping to solution (implementation) domain models, (ii) the significant commonality of behaviour between its many operating modes, emphasising the potential for reuse, and (iii) development and verification of models.We introduce the problem and model three of the operating modes in the problem domain using a state machine notation. We then map each of these models into a solution domain state machine notation, designed as shorthand for a refinement-based solution domain development in the Event-B formal language and its RODIN toolki

Redevelopment of an industrial case study using Event-B and Rodin

CDIS is a commercial air traffic information system that was developed using formal methods 15 years ago by Praxis, and it is still in operation today. This system is an example of an industrial scale system that has been developed using formal methods. In particular, the functional requirements of the system were specified using VVSL -- a variant of VDM. A subset of the original specification has been chosen to be reconstructed on the Rodin platform based on the new Event-B formalism. The goal of our reconstruction was to overcome three key difficulties of the original formalisation, namely the difficulty of comprehending the original specification, the lack of any mechanical proof of the consistency of the specification and the difficulty of dealing with distribution and atomicity refinement. In this paper we elucidate how a new formal notation and tool can help to overcome these difficulties

Formal modelling for Ada implementations: tasking Event-B

This paper describes a formal modelling approach, where Ada code is automatically generated from the modelling artefacts. We introduce an implementation-level specification, Tasking Event-B, which is an extension to Event-B. Event-B is a formal method, that can be used to model safety-, and business-critical systems. The work may be of interest to a section of the Ada community who are interested in applying formal modelling techniques in their development process, and automatically generating Ada code from the model. We describe a streamlined process, where the abstract modelling artefacts map easily to Ada language constructs. Initial modelling takes place at a high level of abstraction. We then use refinement, decomposition, and finally implementation-level annotations, to generate Ada code. We provide a brief introduction to Event-B, before illustrating the new approach using small examples taken from a larger case study

From Event-B models to code: sensing, actuating, and the environment

The Event-B method is a formal approach for modelling systems in safety-, and business-critical, domains. We focus, in this paper, on multi-tasking, embedded control systems. Initially, system specification takes place at a high level of abstraction; detail is added in refinement steps as the development proceeds toward implementation. In previous work, we presented an approach for generating code, for concurrent programs, from Event-B. Translators generate program code for tasks that access data in a safe way, using shared objects. We did not distinguish between tasks of the environment and those of the controller. The work described in this paper offers improved modelling and code generation support, where we separate the environment from the controller. The events in the system can participate in actuating or sensing roles. In the resulting code, sensing and actuation can be simulated using a form of subroutine call; or additional information can be provided to allow a task to read/write directly from/to a specfied memory location

Formal patterns for Web-based systems design

The ubiquitous and simple interface of Web browsers has opened the door for the devel- opment of a new class of distributed applications which they have been known as Web applications. As more and more systems become Web-enabled we become increasingly dependent on the Web applications. Therefore, reliability of such systems is a very crucial factor for successful operation of many modern organisations and institutes. In the ¯rst part of this thesis we review how Web systems have evolved from simple static pages, in their early days, to their current situation as distributed applications with sophisticated functionalities. We also ¯nd out how the design methods have evolved to align with the rapid changes both in the new emerging technologies and growing functionalities. Although design approaches for Web applications have improved during the last decade we conclude that dependability should be given more consideration. In Chapter 2 we explain how this could be achieved through the application of formal methods. Therefore, we have provided an overview of dependability and formal methods in this chapter. In the second part of this research we follow a practical approach to the formal modelling of Web Applications. Accordingly, in Chapter 3 we have developed a series of formal models for an integrated holiday booking system. Our main objectives are to gain some common knowledge of the domain and to identify some key areas and features with regard to our formal modelling approach. Formal modelling of large Web applications could be a very complex process. In Chapter 4 we have introduced the idea of formal patterns for speci¯cation and re¯nement to accelerate the modelling process and to help alleviate the burden of formal modelling. In a further attempt to tackle the complexity of the formal modelling of Web applica- tions, we have introduced the idea of speci¯cation partitioning in Chapter 5. Speci¯- cation partitioning is closely related to the notion of composition. In this chapter we have extended some CSP-like composition techniques to build the system speci¯cation from subsystems or parts. The summary of our research, related ¯ndings and some suggestions for the future work are presented in Chapter 6.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Language and tool support for event refinement structures in Event-B

Event-B is a formal method for modelling and verifying the consistency of chains of model refinements. The event refinement structure (ERS) approach augments Event-B with a graphical notation which is capable of explicit representation of control flows and refinement relationships. In previous work, the ERS approach has been evaluated manually in the development of two large case studies, a multimedia protocol and a spacecraft sub-system. The evaluation results helped us to extend the ERS constructors, to develop a systematic definition of ERS, and to develop a tool supporting ERS. We propose the ERS language which systematically defines the semantics of the ERS graphical notation including the constructors. The ERS tool supports automatic construction of the Event-B models in terms of control flows and refinement relationships. In this paper we outline the systematic definition of ERS including the presentation of constructors, the tool that supports it and evaluate the contribution that ERS and its tool make. Also we present how the systematic definition of ERS and the corresponding tool can ensure a consistent encoding of the ERS diagrams in the Event-B models

Applying Atomicity and Model Decomposition to a Space Craft System in Event-B

Event-B is a formal method for modeling and verifying consistency of systems. In formal methods such as Event-B, refinement is the process of enriching or modifying an abstract model in a step-wise manner in order to manage the development of complex and large systems. To further alleviate the complexity of developing large systems, Event-B refinement can be augmented with two techniques, namely atomicity decomposition and model decomposition. Our main objective in this paper is to investigate and evaluate the application of these techniques when used in a refinement based development. These techniques have been applied to the formal development of a space craft system. The outcomes of this experimental work are presented as assessment results. The experience and assessment can form the basis for some guidelines in applying these techniques in future cases

Modelling complex timing requirements with refinement

In the domain of formal modelling and verification of real-time safety-critical systems, our focus is on complex - i.e. nested, interdependent and cyclic - timing constraints. In Event-B, we present methodological support for our concept of timing interval by defining a set of refinement transformations, designed for structured modelling of such timing constraints. All timing interval related aspects are generated by our tool. An example development, abstracted from our work modelling a cardiac pacemaker, serves to illustrate the use of the transformations. The development is undertaken, proved and model-checked in the Rodin tool-kit for Event-B

Transforming Event-B models to Dafny contracts

Our work aims to build a bridge between constructive (top-down) and analytical (bottom-up) approaches to software verification. This paper presents a tool-supported method for linking two existing verification methods: Event-B (constructive) and Dafny (analytical). This method combines Event-B abstraction and refinement with the code-level verification features of Dafny. The link transforms Event-B models to Dafny contracts by providing a framework in which Event-B models can be implemented correctly. The paper presents a method for transformation of Event-B models of abstract data types to Dafny contracts. Also a prototype tool implementing the transformation method is outlined. The paper also defines and proves a formal link between property verification in Event-B and Dafny. Our approach is illustrated with a small case study