Michael Butler

Michael Butler
University of Southampton · Faculty of Physical and Applied Sciences

About

317
Publications
44,536
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
6,729
Citations

Publications

Publications (317)
Chapter
Cyber-physical systems (CPS) often use open communications to expedite interactions and hence introduce security risks which can be exploited by attackers to cause unsafe failure conditions. Interfaces within the system require security properties (e.g. confidentiality, authentication and reliability) in order to ensure that potential risks are eli...
Article
Full-text available
Safety and security are key considerations in the design of critical systems. Requirements analysis methods rely on the expertise and experience of human intervention to make critical judgements. While human judgement is essential to an analysis method, it is also important to ensure a degree of formality so that we reason about safety and security...
Chapter
The Event-B modelling language has been used to formalise the semantics of other modelling languages such as Time Mobility (TiMo) or State Chart XML (SCXML). Typically, the syntactical elements of the languages are captured as Event-B contexts while the semantical elements are formalised in Event-B machines. An alternative for capturing a modelling...
Chapter
The increased complexity of high-consequence digital system designs with intricate interactions between numerous components has placed a greater need on ensuring that the design satisfies its intended requirements. This digital assurance can only come about through rigorous mathematical analysis of the design. This manuscript provides a detailed de...
Preprint
Full-text available
Safety and security are key considerations in the design of critical systems. Requirements analysis methods rely on the expertise and experience of human intervention to make critical judgements. While human judgement is essential to an analysis method, it is also important to ensure a degree of formality so that we \textit{reason about} safety and...
Chapter
In the design of critical systems, it is important to ensure a degree of formality so that we reason about safety and security at early stages of analysis and design, rather than detect problems later. Influenced by ideas from STPA we present a hierarchical analysis process that aims to justify the design and flow-down of derived critical requireme...
Chapter
UML-B is a UML-like diagrammatic front end for the Event-B formal modelling language. We have been developing UML-B for over 20 years and it has gone through several iterations, each with significant changes of approach. The first version was an adaptation of a UML tool, the second generated a complete Event-B project, the third contributed parts o...
Chapter
We present the CamilleX framework for the Rodin platform in this paper. The framework provides a textual representation and persistence for the Event-B modelling constructs. It supports direct extensions to the Event-B syntax, such as machine inclusion and record structures, and indirect extensions provided by other plugins, such as UML-B diagrams....
Chapter
Event-B is a formal method that facilitates rigorous analysis and correct-by-construction development of software and hardware systems. SPARK is a computer programming language for the development of high integrity software. Linking Event-B at design level and SPARK at implementation level allows us to formally verify the relationship between appli...
Conference Paper
Full-text available
Increased systems complexity and ubiquitous computing drive the need for improved systems design. Model-based systems engineering using general purpose languages such as SysML, is a wellestablished response to this challenge. However, for systems where correctness-by-construction is critical, formal methods are often also deployed. This is a signif...
Article
Stepwise development supported by the Event-B formalism has been used in the domain of system design and verification. This refinement approach guarantees that safety properties are preserved with Event-B proof obligations, while additional reasoning and fairness assumptions are required to prove the transformation of liveness properties in Event-B...
Chapter
State-based formal specifications benefit from data structuring mechanisms, which collate associated properties and efficiently declare complex types. For example, ‘record’ data structures, similar to those used in programming languages, can be built into the concrete syntax of a language as an enhancement over flat data relationships. While this i...
Chapter
Event-B, a refinement-based formal modelling language, has traditionally focused on safety, but now increasingly finds a new role in developing secure systems. In this paper we take a fresh look at security and focus on what security means for the system rather than looking at detailed protocols. We use Event-B for proving security from an abstract...
Chapter
Event-B is a state-based formal method for system development. The Event-B mathematical language does not support a syntax for the direct definition of structured types such as records. This paper proposes extending the Event-B language with direct record definitions. A key feature is the ability to extend records with new fields in refinement step...
Chapter
We present the CamilleX framework for the Rodin platform in this paper. The framework provides a textual representation and persistence for the Event-B modelling constructs. It supports direct extensions to the Event-B syntax such as machine inclusion and record structures, as well as indirect extensions provided by other plugins such as UML-B diag...
Conference Paper
Stepwise-based development supported by the Event-B formalism has been used in the domain of system design and verification. This refinement approach guarantees that safety properties are preserved, while additional reasoning is required to prove liveness properties. Our previous work proposes to use real-time trigger-response properties to reason...
Conference Paper
Full-text available
We present the CamilleX framework for the Rodin platform in this paper. The framework provides a textual representation and persistence for the Event-B modelling constructs. It supports direct extensions to the Event-B syntax such as machine inclusion and record structures, as well as indirect extensions provided by other plugins such as UML-B diag...
Conference Paper
Event-B is a state-based formal method for system development. The Event-B mathematical language does not support a syntax for the direct definition of structured types such as records. This paper proposes extending the Event-B language with direct record definitions.A key feature is the ability to extend records with new fields in refinement steps...
Conference Paper
Event-B, a refinement-based formal modelling language, has traditionally focused on safety, but now increasingly finds a new role in developing secure systems. In this paper we take a fresh look at security and focus on what security means for the system rather than looking at detailed protocols. We use Event-B for proving security from an abstract...
Conference Paper
State-based formal specifications benefit from data structuring mechanisms, which collate associated properties and efficiently declare complex types. For example, ‘record’ data structures, similar to those used in programming languages, can be built into the concrete syntax of a language as an enhancement over flat data relationships. While this i...
Article
A key risk with autonomous systems (AS) is the trustworthiness of the decision-making and control mechanisms that replace human control. To be trustworthy, systems need to remain safe while being resilient to unpredictable changes, functional/operational failures and cybersecurity threats. Rigorous validation and verification are essential to ensur...
Conference Paper
Although popular in industry, state-chart notations with ‘run to completion’ semantics lack formal refinement and rigorous verification methods. State-chart models are typically used to design complex control systems that respond to environmental triggers with a sequential process. The model is usually constructed at a concrete level and verified a...
Chapter
Although popular in industry, state-chart notations with ‘run to completion’ semantics lack formal refinement and rigorous verification methods. State-chart models are typically used to design complex control systems that respond to environmental triggers with a sequential process. The model is usually constructed at a concrete level and verified a...
Chapter
The guarded atomic action model of Event-B allows it to be applied to a range of systems including sequential, concurrent and distributed systems. However, the lack of explicit sequential structures in Event-B makes the task of sequential code generation difficult. Scheduled Event-B (SEB) is an extension of Event-B that augments models with control...
Article
Full-text available
Formal methods use abstraction and rigorously verified refinement to manage the design of complex systems, ensuring that they satisfy important invariant properties. However, formal verification is not sufficient: models must also be tested to ensure that they behave according to the informal requirements and validated by domain experts who may not...
Article
Event-B is a formal method that utilizes a stepwise development approach for system-level modeling and analysis. We are interested in reasoning about real-time deadlines and delays between trigger and response events. There is existing work on treating these properties in Event-B but it lacks a semantic treatment in terms of trace behaviors. Becaus...
Chapter
Statechart notations with ‘run to completion’ semantics, are popular with engineers for designing controllers that respond to events in the environment with a sequence of state transitions. However, they lack formal refinement and rigorous verification methods. Open image in new window , on the other hand, is based on refinement from an initial abs...
Article
The Event-B formalism offers a stepwise development approach for managing complexity in system design. However, the existing work that extends Event-B models with discrete timing properties inadequately represents the communication and competition between concurrent tasks in concurrent systems. In this paper, we present the semantics of the paramet...
Article
This paper introduces the topic of the Special Section on the ERTMS Level 3 Hybrid case study. The European Rail Traffic Management System (ERTMS) is a system of standards for management and interoperation of signalling for railways. The case study focuses on the ERTMS Level 3 Hybrid principles, which accommodates different types of trains, includi...
Chapter
This chapter presents the results of the railway domain. It focuses on the validation of a route control system using a model-based approach and formal methods. A main technical challenge is the automation of the translation step between a formalized specification and a mathematical model which allows for proofs of functional and safety properties...
Article
Cross-layer runtime management (RTM) frameworks for embedded systems provide a set of standard APIs for communication between different system layers (i.e. RTM, applications and device) and simplify the development process by abstracting these layers. Integration of independently developed components of the system is an error-prone process that req...
Chapter
Formal methods use abstraction and rigorously verified refinement to manage the design of complex systems, ensuring that they satisfy important invariant properties. However, formal verification is not sufficient: models must also be tested to ensure that they behave according to the informal requirements and validated by domain experts who may not...
Conference Paper
Behaviour driven formal model development (BDFMD) enables domain engineers to influence and validate mathematically precise and verified specifications. In previous work we proposed a process where manually authored scenarios are used initially to support the requirements and help the modeller. The same scenarios are used to verify behavioural prop...
Chapter
Statechart modelling notations, with so-called ‘run to completion’ semantics and simulation tools for validation, are popular with engineers for designing systems. However, they do not support formal refinement and they lack formal static verification methods and tools. For example, properties concerning the synchronisation between different parts...
Conference Paper
Full-text available
A key risk with autonomous systems (AS) is the trustworthiness of the decision-making and control mechanisms that replace human control. To be trustworthy, systems need to remain safe while being resilient to unpredictable changes, functional/operational failures and cybersecurity threats. Rigorous validation (does the solution satisfy the stakehol...
Conference Paper
p>Formal modelling methods rightly focus on the primary goal of verifying properties. This can however, lead to inadequate facilities for structuring the model into manageable verification components. For example, the Event-B language is designed to achieve a high level of automatic theorem proofs through a linear sequence of refinements. In previo...
Conference Paper
Statechart modelling notations, with so-called `run to completion' semantics and simulation tools for validation, are popular with engineers for designing systems. However, they do not support formal refinement and they lack formal static verification methods and tools. For example, properties concerning the synchronisation between different parts...
Chapter
Formal systems modelling offers a rigorous system-level analysis resulting in a precise and reliable specification. However, some issues remain: Modellers need to understand the requirements in order to formulate the models, formal verification may focus on safety properties rather than temporal behaviour, domain experts need to validate the final...
Conference Paper
Event-B is a formal method for system-level modelling and analysis, which uses logic and set theory to describe discrete labelled transition systems. Timed transition systems have been introduced to incorporate timing constraints on transitions to describe real-time behaviours of the system. This paper proposes an approach to modelling high level t...
Chapter
This paper proposes a new extension to the Event-B modelling method to facilitate the building of hierarchical mathematical libraries to ease the formal modelling of many systems. The challenges are to facilitate building mathematical theories, be compatible with the current method and tools, and to be extensible by users within the Rodin Platform...
Conference Paper
Formal systems modelling offers a rigorous system-level analysis resulting in a precise and reliable specification. However, some issues remain: Modellers need to understand the requirements in order to formulate the models, formal verification may focus on safety properties rather than temporal behaviour, domain experts need to validate the final...
Conference Paper
Event-B is a refinement-based formal method that is used for system-level modeling and analysis of concurrent and distributed systems. Work has been done to extend Event-B with discrete time constraints. However the previous work does not capture the communication and competition between concurrent processes. In this paper, we distinguish task-base...
Preprint
Full-text available
In this abstract, we briefly present our experience in generating code from Event-B models of run-time management software for multi-core embedded platforms as part of the PRiME project 1. We discuss the current limitation in Event-B Code Generation (CG) and outline our plan for a new CG tool. 1 RTM Code Generation Development of RTM software can r...
Preprint
Correct operation of many critical systems is dependent on the data consistency and integrity properties of underlying databases. Therefore, a verifiable and rigorous database design process is highly desirable. This research aims to investigate and deliver a comprehensive and practical approach for modelling databases in formal methods through lay...
Article
Full-text available
Correct operation of many critical systems is dependent on the data consistency and integrity properties of underlying databases. Therefore, a verifiable and rigorous database design process is highly desirable. This research aims to investigate and deliver a comprehensive and practical approach for modelling databases in formal methods through lay...
Chapter
Scheduled Event-B (SEB) augments Event-B with a scheduling language to make the control flow in an Event-B model explicit and facilitate derivation of algorithmic structure in Event-B refinement. A concrete SEB model has a concrete algorithmic structure associated with it. Although this structure reduces the difficulty of code generation, there is...
Chapter
This document presents a description of the European Rail Traffic Management System (ERTMS) case study. ERTMS is a system of standards for management and interoperation of signalling for railways by the European Union (EU). The case study focuses on the ERTMS Level 3 Hybrid principle, which accommodates different types of trains including ERTMS tra...
Conference Paper
Full-text available
Scheduled Event-B (SEB) augments Event-B with a scheduling language to make the control flow in an Event-B model explicit and facilitate derivation of algorithmic structure in Event-B refinement. A concrete SEB model has a concrete algorithmic structure associated with it. Although this structure reduces the difficulty of code generation, there is...
Conference Paper
We wish to model railway control systems in a formally precise way so that product lines can be adapted to specific customer requirements. Typically a customer is a railway operator with national conventions leading to different variation points based on a common core principle. A formal model of the core product must be precise and manipulatable s...
Conference Paper
Full-text available
Event-B is a state-based formal method for modelling and verifying the consistency of discrete systems. Event refinement structures (ERS) augment Event-B with hierarchical diagrams, providing explicit support for workflows and refinement relationships. Despite the variety of ERS combinators, ERS still lacks the flexibility to model dynamic workflow...
Article
We present a formal specification and analysis of a haemodialysis machine (HD machine) in Event-B using the Rodin Toolset. The medical device domain is a particularly complex multidisciplinary field involving disparate branches of engineering, biological and medical fields as well as a critical patient-machine interface. Requirements include safety...
Conference Paper
Correct operation of many critical systems is dependent on the data consistency and integrity properties of underlying databases. Therefore, a verifiable and rigorous database design process is highly desirable. This research aims to investigate and deliver a comprehensive and practical approach for modelling databases in formal methods through lay...
Conference Paper
We propose to extend iUML-B class-diagrams to elaborate Abstract Data Types (ADTs) specified using Event-B theories. Classes are linked to data types, while attributes and associations correspond to operators of the data types. Axioms about the data types and operators are specified as constraints on the class. We illustrate our approach on a devel...
Article
Hybrid Event-B, initially introduced for single machines to add continuously varying behaviour to discrete change of state in Event-B, is extended to cater for multiple cooperating machines. Multiple machine working is mediated by INTERFACE and PROJECT constructs. The former encapsulates a set of variables, their invariants and initialisations, in...
Conference Paper
Full-text available
Our work aims to build a bridge between constructive (top-down) and analytical (bottom-up) approaches to software verification. This paper presents a tool-supported method for linking two existing verification methods: Event-B (constructive) and Dafny (analytical). This method combines Event-B abstraction and refinement with the code-level verifica...
Article
Full-text available
Bridging the gap between informal requirements and formal specifications is a key challenge in systems engineering. Constructing appropriate abstractions in formal models requires skill and managing the complexity of the relationships between requirements and formal models can be difficult. In this paper we present an approach that aims to address...
Conference Paper
Full-text available
The constructive approach to software correctness aims at formal modelling and verification of the structure and behaviour of a system in different levels of abstraction. In contrast, the analytical approach to software verification focuses on code level correctness and its verification. Therefore it would seem that the constructive and analytical...
Conference Paper
The constructive approach to software correctness aims at formal modelling and verification of the structure and behaviour of a system in different levels of abstraction. In contrast, the analytical approach to software verification focuses on code level correctness and its verification. Therefore it would seem that the constructive and analytical...
Article
Faced with the increasing need for correctly designed hybrid and cyber-physical systems today, the problem of including provision for continuously varying behaviour as well as the usual discrete changes of state is considered in the context of Event-B. An extension of Event-B called Hybrid Event-B is presented, that accommodates continuous behaviou...
Conference Paper
A Run-Time Management system for many-core architecture is aware of application requirements and able to save energy by sacrificing performance when it will have negligible impact on user experience. This paper outlines the application of a process for development of a run-time management system that integrates a range of modelling, validation, ver...
Conference Paper
Full-text available
Ideally the development process of software systems with Event-B and Rodin platform should lead to implementation and executables. The Event-B language and Rodin in their basic form do not have any facility to support this. To bridge this gap, some research has been carried out and several plugins have been developed to provide facilities for the R...
Conference Paper
Full-text available
This work in progress presents a prototype multi-simulation environment for the Rodin platform that enables import, co-modelling and co-simulation of dynamic models and formal Event-B specifications, which can help in the design of mixed discrete-event/continuous-time systems. The proposed solution is based on the Functional Mock-up Interface stand...
Conference Paper
MapReduce is a powerful distributed data processing model that is currently adopted in a wide range of domains to efficiently handle large volumes of data, i.e., cope with the big data surge. In this paper, we propose an approach to formal derivation of the MapReduce framework. Our approach relies on stepwise refinement in Event-B and, in particula...
Article
Event-B is a formal method for modelling and verifying the consistency of chains of model refinements. The event refinement structure (ERS) approach augments Event-B with a graphical notation which is capable of explicit representation of control flows and refinement relationships. In previous work, the ERS approach has been evaluated manually in t...
Article
We present a generic co-simulation approach between discrete-event models, developed in the Event-B formal method, and continuous models, exported via the Functional Mock-up Interface for Co-simulation standard. The concept is implemented into a simulation extension for the Rodin platform, thus leveraging powerful capabilities of refinement-based m...
Article
Full-text available
Constructing traceable Event-B models from requirements is crucial in the system development process. It enables the validation of the model against the requirements and allows to identify different refinement levels, which is a key to successful formal modelling with a refinement-based method. Our objective is to present an approach based on the u...
Article
Integrating graphical representations with formal methods can help bridge the gap between requirements and formal modelling. In this paper, we compare and evaluate two graphical approaches aiming at describing control flows and refinement in Event-B, and we use a fire dispatch system case study to perform this evaluation. The fire dispatch system c...
Conference Paper
A case study on automotive cruise control originally done in (conventional, discrete) event-b is reexamined in hybrid event-b (an extension of event-b that includes provision for continuously varying behaviour as well as the usual discrete changes of state). A significant case study such as this has various benefits. It can confirm that the hybrid...
Conference Paper
The Rodin tool for Event-B supports formal modelling and proof using a mathematical language that is based on predicate logic and set theory. Although Rodin has in-built support for a rich set of operators and proof rules, for some application areas there may be a need to extend the set of operators and proof rules supported by the tool. This paper...
Conference Paper
Full-text available
Integrating graphical representations with formal methods can help bridge the gap between requirements and formal modelling. In this paper, we compare and evaluate two graphical approaches aiming at describing control flows and refinement in Event-B, and we use a fire dispatch system case study to perform this evaluation. The fire dispatch system c...
Conference Paper
The control law of a typical industrial system has a modulating (continuous) component and a sequential/modal component. Control engineers are traditionally good at specifying the modulating part of the control laws unambiguously, correctly and completely. Software engineers have similar skills on the sequential component. In this paper, we discuss...
Conference Paper
To break the complexity of the formalisation process, we propose to model a functional requirement document of a control system as composeable monitored, controlled, mode and commanded sub-models. Influenced by the problem frame approach and the decomposition of the four-variable model, we suggest decomposing requirements of a control system into m...
Chapter
Together with many Rodin plug-ins, the Rodin platform supports the application of refinement-based development using Event-B and linked methods. This chapter outlines the management of the development and evolution of these tools during the lifetime of the DEPLOY project in response to deployment needs and methodological developments. The planning...
Article
Full-text available