Recent publications
Formal methods encompass a wide choice of techniques and tools for the specification, development, analysis, and verification of software and hardware systems. Formal methods are widely applied in industry, in activities ranging from the elicitation of requirements and the early design phases all the way to the deployment, configuration, and runtime monitoring of actual systems. Formal methods allow one to precisely specify the environment in which a system operates, the requirements and properties that the system should satisfy, the models of the system used during the various design steps, and the code embedded in the final implementation, as well as to express conformance relations between these specifications. We present a broad scope of successful applications of formal methods in industry, not limited to the well-known success stories from the safety-critical domain, like railways and other transportation systems, but also covering other areas such as lithography manufacturing and cloud security in e-commerce, to name but a few. We also report testimonies from a number of representatives from industry who, either directly or indirectly, use or have used formal methods in their industrial project endeavours. These persons are spread geographically, including Europe, Asia, North and South America, and the involved projects witness the large coverage of applications of formal methods, not limited to the safety-critical domain. We thus make a case for the importance of formal methods, and in particular of the capacity to abstract and mathematical reasoning that are taught as part of any formal methods course. These are fundamental Computer Science skills that graduates should profit from when working as computer scientists in industry, as confirmed by industry representatives.
The article focuses on the continuous improvement of Atelier B’s automatic proof capabilities since its industrialisation in the 90s. The evolution of Atelier B addressed challenges in proof obligations generation and optimisation, adapting to new languages like Event-B and incorporating newer formats for easier analysis and third-party prover connections. Significant developments include enhancing the proof system to handle complex proof obligations efficiently and integrating external provers for improved proof capabilities. The article also showcases B’s industrial applications in critical sectors, emphasising the method’s importance in safety-critical software development and the ongoing efforts to facilitate proof activities and integrate AI for better proof automation.
In previous work, we have presented a methodology for the specification and verification of relay-based Railway Interlocking Systems (RIS) based on their transient states. By using CSP as formal support, it is possible to use a model checker in order to analyse the safety of such critical systems as a way to improve their safety. However, this type of verification tends to consume a lot of computational resources, which hinders the use of this methodology for industrial systems. This work presents a proposal for a new methodology for the specification of RIS. In this work we rebuild the whole model by changing the notion of components, integrating them in the core of the model while keeping their interface visible to the end-user. In this context, it is possible to maintain the concepts of instantiating and combining components at the same time we reduce the number of components and states as a way to alleviate the time spent on model checking. Besides, we propose a new methodology of verification based on the decomposition of the model. Our new proposed approach supports the analysis of a bigger set of properties of these systems, like the analysis of the Ringbell Effect, short circuits, deadlocks, divergences, and components that cannot be activated at the same time. In order to evaluate our approach, a new industrial case study is modelled and analysed.
Fat is physiologically embedded within the interosseous ligaments in the posterior part of the sacroiliac joint (PSIJ). This composite of fat and ligaments is hypothesized to serve a shock-absorbing, stabilizing function for the sacroiliac joint and the lumbopelvic transition region. Using a novel Python-based software (VolSEQ), total PSIJ volume and fat volume were computed semi-automatically. Differences within the cohort and the viability of the program for the quantification of fat in routine computed tomography (CT) scans were assessed. In 37 CT scans of heathy individuals, the PSIJ were first manually segmented as a region of interest in OSIRIX. Within VolSEQ, ‘fat’ Hounsfield units (− 150 to − 50 HU) are selected and the DICOM file of the patient scan and associated region of interest file from OSIRIX were imported and the pixel sub volumes were then automatically computed. Volume comparisons were made between sexes, sides and ages (≤ 30, 31–64 and > 65 years). PSIJ volumes in both software (VolSeq vs. OSIRIX) were non-different (both 9.7 ± 2.8cm³; p = 0.9). Total PSIJ volume (p = 0.3) and fat volume (p = 0.7) between sexes were non-different. A significant difference in total PSIJ volume between sexes (p < 0.01) but not in fat volume (p = 0.3) was found only in the ≥ 65 years cohort. Fat volume within the PSIJ remains unchanged throughout life. PSIJ volume is sex-dependent after 65 years. VolSEQ is a viable and user-friendly method for sub-volume quantification of tissues in CT.
The B-Method has an interesting history, where language and tools have evolved over the years. This not only led to considerable research and progress in the area of formal methods, but also to numerous industrial applications, in particular in the railway domain. We present a survey of the industrial usage of the B-Method since the first toolset in 1993 and the inauguration of the driverless metro line 14 in Paris in 1999. We discuss the various areas of applications, from software development to data validation and on to systems modelling. The evolution of the tooling landscape is also analysed, and we present an assessment of the current situation, lessons learned and possible new directions.
Refinement consists of detailing the specification in order to get a more concrete model. However, this technique leads to large models. Hence, model decomposition is used to reduce model complexity. In this paper, we present the main methods of decomposition and their limitations. Then, we define the decomposition by refinement method that deals with these limitations. Thereafter, we proceed with the rules to follow in order to get a correct decomposed model.
The CLEARSY Safety Platform (CSSP) was designed to ease the development of safety critical systems and to reduce the overall costs (development, deployment, and certification) under the pressure of the worldwide market. A smart combination of hardware features (double processor) and formal method (B method and code generators) was used to produce a SIL4-ready platform where safety principles are built-in and cannot be altered by the developer. Summarizing a 5-year return of experience in the effective application in the railways, this article explains how this approach is a game-changer and tries to anticipate the future of this platform for safety critical systems. In particular, the education of future engineers and the seamless integration in existing engineering processes with the support of Domain Specific Languages are key topics for a successful deployment in other domains. DSL like Robosim to program mobile robots and relay circuits to design railway signalling systems are connected to the platform.
Proof obligations of the B method and of Event B use predicates in the Constraints, Sets, Properties and Invariant clauses as hypotheses in proof obligations. A contradiction in these predicates results in trivially valid proof obligations and essentially voids the development. A textbook on the B method [3] presents three “existence proof obligations” to show the satisfiability of the Constraints, Properties and Invariant clauses as soon as they are stated in a component. Together with new existence proof obligations for refinement, this prevents the introduction of such contradictions in the refinement chain. This paper presents a detailed formalization of these existence proof obligations, specifying their implementation in Atelier B.
Software in industrial products, such as in the railway industry, constantly evolves to meet new or changing requirements. For projects with a lifetime spanning decades (such as the control software for energy plants, for railway lines, etc.), keeping track of the original design rationale through time is a significant challenge.
The argument of correctness in refinement-based formal software design often disregards source code analysis and code generation. To mitigate the risk of errors in these phases, certifications issued by regulation entities demand or recommend testing the generated software using a code coverage criteria. We propose improvements for the BTestBox, a tool for automatic generation of tests for software components developed with the B method. BTestBox supports several code coverage criteria and code generators for different languages. The tool uses a constraint solver to produce tests, thus being able to identify dead code and tautological branching conditions. It also generates reports with different metrics and may be used as an extension to the Atelier B. Our tool performs a double task: first, it acts on the B model, by checking the code coverage. Second, the tool performs the translation of lower level B specifications into programming language code, runs tests and compares their results with the expected output of the test cases. The present version of BTestBox uses parallelisation techniques that significantly improve its performance. The results presented here are encouraging, showing performance numbers that are one order of magnitude better than the ones obtained in the tool’s previous version.
Developing safety critical systems is a very difficult task. Such systems require talented engineers, strong experience and dedication when designing the safety principles of these systems. Indeed it should be demonstrated that no failure or combination of failures may lead to a catastrophic situation where people could be injured or could die because of that system. This article presents disruptive technologies that reduce the effort to develop such systems by providing integrated building blocks easier to use.
This paper describes a safety analysis effort on RATP’s communication-based train control (CBTC) system Octys. This CBTC is designed for multi-sourcing and brownfield deployment on an existing interlocking infrastructure. Octys is already in operation on several metro lines in Paris, and RATP plans its deployment on several other lines in the forthcoming years. Besides the size and complexity of the system, the main technical challenges of the analysis are to handle the existing interlocking functionalities without interfering with its design and to clearly identify the responsibilities of each subsystem supplier. The distinguishing aspect of this analysis is the emphasis put on intellectual rigor, this rigor being achieved by using formal proofs to structure arguments, then using the Atelier B tool to mechanically verify such proofs, encoded in the Event-B notation.
The application of automatic theorem provers to discharge proof obligations is necessary to apply formal methods in an efficient manner. Tools supporting formal methods, such as Atelier~B, generate proof obligations fully automatically. Consequently, such proof obligations are often cluttered with information that is irrelevant to establish their validity.
We present iapa, an "Interface to Automatic Proof Agents", a new tool that is being integrated to Atelier~B, through which the user will access proof obligations, apply operations to simplify these proof obligations, and then dispatch the resulting, simplified, proof obligations to a portfolio of automatic theorem provers.
Introducing the notion of Participatory Demand-Supply (PDS) systems as socio-technical systems, this paper focuses on a new approach to coordinating demand and supply in dynamic environments. A participatory approach to demand and supply provides a new frame of reference for system design, for which the engagement of all stakeholders plays an important role, as does distributed ICT. This approach has been applied to an industrial case to explore new opportunities enabled by distributed ICT for communication, negotiation, joint decision-making, and collective learning required for coordinating demand and supply. The application results in a platform as a test-bed for collecting relevant information to study the participation of stakeholders (actors) in coordinating a PDS system.
Clearsy is an engineering company specialized in system dependability.
It verifies the concepts and tools required to create secure systems and uses formal techniques to define, design and validate
systems, then create critical software for their integration.
The Thermosphere, Ionosphere, Mesosphere Energetics and Dynamics (TIMED) spacecraft was designed at APL as the first Solar Terrestrial Probe in NASA's Solar Connections Program. The spacecraft supports the operation of four scientific remote-sensing instruments for a minimum of 2 years from a circular orbit 625 km in altitude with an inclination of 74.1degrees. TIMED has been designed with a significant amount of onboard autonomy, as it is run with a low-cost mission operations concept. The robust spacecraft with redundant subsystems features an Integrated Electronics Module that contains RF and digital subsystems in a common card cage. The TIMED GPS Navigation System uses the GPS for onboard tracking, navigation, and "event-based" commanding, and is key to the implementation of low-cost mission operations.
Institution pages aggregate content on ResearchGate related to an institution. The members listed on this page have self-identified as being affiliated with this institution. Publications listed on this page were identified by our algorithms as relating to this institution. This page was not created or approved by the institution. If you represent an institution and have questions about these pages or wish to report inaccurate content, you can contact us here.
Information
Address
Aix-en-Provence, France
Website